cmd/cloner, tailcfg: fix nil vs len 0 issues, add tests, use for Hostinfo

Also use go:generate and https://golang.org/s/generatedcode header style.

.bencher/config.yaml

@@ -1 +0,0 @@
-suppress_failure_on_regression: true

.gitattributes

@@ -1,2 +1 @@
 go.mod filter=go-mod
-*.go  diff=golang

.github/ISSUE_TEMPLATE/bug_report.md

@@ -0,0 +1,37 @@
+---
+name: Bug report
+about: Create a bug report
+title: ''
+labels: ''
+assignees: ''
+
+---
+
+<!-- Please note, this template is for definite bugs, not requests for
+support. If you need help with Tailscale, please email
+support@tailscale.com. We don't provide support via Github issues. -->
+
+**Describe the bug**
+A clear and concise description of what the bug is.
+
+**To Reproduce**
+Steps to reproduce the behavior:
+1. Go to '...'
+2. Click on '....'
+3. Scroll down to '....'
+4. See error
+
+**Expected behavior**
+A clear and concise description of what you expected to happen.
+
+**Screenshots**
+If applicable, add screenshots to help explain your problem.
+
+**Version information:**
+ - Device: [e.g. iPhone X, laptop]
+ - OS: [e.g. Windows, MacOS]
+ - OS version: [e.g. Windows 10, Ubuntu 18.04]
+ - Tailscale version: [e.g. 0.95-0]
+
+**Additional context**
+Add any other context about the problem here.

.github/ISSUE_TEMPLATE/bug_report.yml

@@ -1,81 +0,0 @@
-name: Bug report
-description: File a bug report. If you need help, contact support instead
-labels: [needs-triage, bug]
-body:
-  - type: markdown
-    attributes:
-      value: |
-        Need help with your tailnet? [Contact support](https://tailscale.com/contact/support) instead.
-        Otherwise, please check if your bug is [already filed](https://github.com/tailscale/tailscale/issues) before filing a new one.
-  - type: textarea
-    id: what-happened
-    attributes:
-      label: What is the issue?
-      description: What happened? What did you expect to happen?
-    validations:
-      required: true
-  - type: textarea
-    id: steps
-    attributes:
-      label: Steps to reproduce
-      description: What are the steps you took that hit this issue?
-    validations:
-      required: false
-  - type: textarea
-    id: changes
-    attributes:
-      label: Are there any recent changes that introduced the issue?
-      description: If so, what are those changes?
-    validations:
-      required: false
-  - type: dropdown
-    id: os
-    attributes:
-      label: OS
-      description: What OS are you using? You may select more than one.
-      multiple: true
-      options:
-        - Linux
-        - macOS
-        - Windows
-        - iOS
-        - Android
-        - Synology
-        - Other
-    validations:
-      required: false
-  - type: input
-    id: os-version
-    attributes:
-      label: OS version
-      description: What OS version are you using?
-      placeholder: e.g., Debian 11.0, macOS Big Sur 11.6, Synology DSM 7
-    validations:
-      required: false
-  - type: input
-    id: ts-version
-    attributes:
-      label: Tailscale version
-      description: What Tailscale version are you using?
-      placeholder: e.g., 1.14.4
-    validations:
-      required: false
-  - type: textarea
-    id: other-software
-    attributes:
-      label: Other software
-      description: What [other software](https://github.com/tailscale/tailscale/wiki/OtherSoftwareInterop) (networking, security, etc) are you running?
-    validations:
-      required: false
-  - type: input
-    id: bug-report
-    attributes:
-      label: Bug report
-      description: Please run [`tailscale bugreport`](https://tailscale.com/kb/1080/cli/?q=Cli#bugreport) and share the bug identifier. The identifier is a random string which allows Tailscale support to locate your account and gives a point to focus on when looking for errors.
-      placeholder: e.g., BUG-1b7641a16971a9cd75822c0ed8043fee70ae88cf05c52981dc220eb96a5c49a8-20210427151443Z-fbcd4fd3a4b7ad94
-    validations:
-      required: false
-  - type: markdown
-    attributes:
-      value: |
-        Thanks for filing a bug report!

.github/ISSUE_TEMPLATE/config.yml

@@ -1,8 +1,5 @@
 blank_issues_enabled: true
 contact_links:
-  - name: Support
-    url: https://tailscale.com/contact/support/
-    about: Contact us for support
-  - name: Troubleshooting
+  - name: Support and Product Questions
     url: https://tailscale.com/kb/1023/troubleshooting
-    about: See the troubleshooting guide for help addressing common issues
+    about: Please send support questions and questions about the Tailscale product to support@tailscale.com

.github/ISSUE_TEMPLATE/feature_request.md

@@ -0,0 +1,26 @@
+---
+name: Feature request
+about: Suggest an idea for this project
+title: ''
+labels: ''
+assignees: ''
+
+---
+
+**Is your feature request related to a problem? Please describe.**
+
+A clear and concise description of what the problem is. Ex. I'm always
+frustrated when [...]
+
+**Describe the solution you'd like**
+
+A clear and concise description of what you want to happen.
+
+**Describe alternatives you've considered**
+
+A clear and concise description of any alternative solutions or
+features you've considered.
+
+**Additional context**
+
+Add any other context or screenshots about the feature request here.

.github/ISSUE_TEMPLATE/feature_request.yml

@@ -1,42 +0,0 @@
-name: Feature request
-description: Propose a new feature
-title: "FR: "
-labels: [needs-triage, fr]
-body:
-  - type: markdown
-    attributes:
-      value: |
-        Please check if your feature request is [already filed](https://github.com/tailscale/tailscale/issues).
-        Tell us about your idea!
-  - type: textarea
-    id: problem
-    attributes:
-      label: What are you trying to do?
-      description: Tell us about the problem you're trying to solve.
-    validations:
-      required: false
-  - type: textarea
-    id: solution
-    attributes:
-      label: How should we solve this?
-      description: If you have an idea of how you'd like to see this feature work, let us know.
-    validations:
-      required: false
-  - type: textarea
-    id: alternative
-    attributes:
-      label: What is the impact of not solving this?
-      description: (How) Are you currently working around the issue?
-    validations:
-      required: false
-  - type: textarea
-    id: context
-    attributes:
-      label: Anything else?
-      description: Any additional context to share, e.g., links
-    validations:
-      required: false
-  - type: markdown
-    attributes:
-      value: |
-        Thanks for filing a feature request!

.github/dependabot.yml

@@ -1,21 +0,0 @@
-# Documentation for this file can be found at:
-# https://docs.github.com/en/code-security/supply-chain-security/keeping-your-dependencies-updated-automatically/configuration-options-for-dependency-updates
-version: 2
-updates:
-  ## Disabled between releases. We reenable it briefly after every
-  ## stable release, pull in all changes, and close it again so that
-  ## the tree remains more stable during development and the upstream
-  ## changes have time to soak before the next release.
-  # - package-ecosystem: "gomod"
-  #   directory: "/"
-  #   schedule:
-  #     interval: "daily"
-  #   commit-message:
-  #     prefix: "go.mod:"
-  #   open-pull-requests-limit: 100
-  - package-ecosystem: "github-actions"
-    directory: "/"
-    schedule:
-      interval: "weekly"
-    commit-message:
-      prefix: ".github:"

.github/licenses.tmpl

@@ -1,17 +0,0 @@
-# Tailscale CLI and daemon dependencies
-
-The following open source dependencies are used to build the [tailscale][] and
-[tailscaled][] commands. These are primarily used on Linux and BSD variants as
-well as an [option for macOS][].
-
-[tailscale]: https://pkg.go.dev/tailscale.com/cmd/tailscale
-[tailscaled]: https://pkg.go.dev/tailscale.com/cmd/tailscaled
-[option for macOS]: https://tailscale.com/kb/1065/macos-variants/
-
-## Go Packages
-
-Some packages may only be included on certain architectures or operating systems.
-
-{{ range . }}
- - [{{.Name}}](https://pkg.go.dev/{{.Name}}) ([{{.LicenseName}}]({{.LicenseURL}}))
-{{- end }}

.github/workflows/codeql-analysis.yml

@@ -1,77 +0,0 @@
-# For most projects, this workflow file will not need changing; you simply need
-# to commit it to your repository.
-#
-# You may wish to alter this file to override the set of languages analyzed,
-# or to provide custom queries or build logic.
-#
-# ******** NOTE ********
-# We have attempted to detect the languages in your repository. Please check
-# the `language` matrix defined below to confirm you have the correct set of
-# supported CodeQL languages.
-#
-name: "CodeQL"
-
-on:
-  push:
-    branches: [ main, release-branch/* ]
-  pull_request:
-    # The branches below must be a subset of the branches above
-    branches: [ main ]
-  merge_group:
-    branches: [ main ]
-  schedule:
-    - cron: '31 14 * * 5'
-
-concurrency:
-  group: ${{ github.workflow }}-$${{ github.head_ref || github.run_id }}
-  cancel-in-progress: true
-
-jobs:
-  analyze:
-    name: Analyze
-    runs-on: ubuntu-latest
-    permissions:
-      actions: read
-      contents: read
-      security-events: write
-
-    strategy:
-      fail-fast: false
-      matrix:
-        language: [ 'go' ]
-        # CodeQL supports [ 'cpp', 'csharp', 'go', 'java', 'javascript', 'python' ]
-        # Learn more:
-        # https://docs.github.com/en/free-pro-team@latest/github/finding-security-vulnerabilities-and-errors-in-your-code/configuring-code-scanning#changing-the-languages-that-are-analyzed
-
-    steps:
-    - name: Checkout repository
-      uses: actions/checkout@v3
-
-    # Initializes the CodeQL tools for scanning.
-    - name: Initialize CodeQL
-      uses: github/codeql-action/init@v2
-      with:
-        languages: ${{ matrix.language }}
-        # If you wish to specify custom queries, you can do so here or in a config file.
-        # By default, queries listed here will override any specified in a config file.
-        # Prefix the list here with "+" to use these queries and those in the config file.
-        # queries: ./path/to/local/query, your-org/your-repo/queries@main
-
-    # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
-    # If this step fails, then you should remove it and run the build manually (see below)
-    - name: Autobuild
-      uses: github/codeql-action/autobuild@v2
-
-    # ℹ️ Command-line programs to run using the OS shell.
-    # 📚 https://git.io/JvXDl
-
-    # ✏️ If the Autobuild fails above, remove it and uncomment the following three lines
-    #    and modify them (or add more) to build your code if your project
-    #    uses a compiled language
-
-    #- run: |
-    #   make bootstrap
-    #   make release
-
-    - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@v2

.github/workflows/cross-darwin.yml

@@ -0,0 +1,53 @@
+name: Darwin-Cross
+
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+    branches:
+      - '*'
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+
+    if: "!contains(github.event.head_commit.message, '[ci skip]')"
+
+    steps:
+
+    - name: Set up Go
+      uses: actions/setup-go@v1
+      with:
+        go-version: 1.14
+      id: go
+
+    - name: Check out code into the Go module directory
+      uses: actions/checkout@v1
+
+    - name: macOS build cmd
+      env:
+        GOOS: darwin
+        GOARCH: amd64
+      run: go build ./cmd/...
+
+    - name: macOS build tests
+      env:
+        GOOS: darwin
+        GOARCH: amd64
+      run: for d in $(go list -f '{{if .TestGoFiles}}{{.Dir}}{{end}}' ./... ); do (echo $d; cd $d && go test -c ); done
+
+    - uses: k0kubun/action-slack@v2.0.0
+      with:
+        payload: |
+          {
+            "attachments": [{
+              "text": "${{ job.status }}: ${{ github.workflow }} <https://github.com/${{ github.repository }}/commit/${{ github.sha }}/checks|${{ env.COMMIT_DATE }} #${{ env.COMMIT_NUMBER_OF_DAY }}> " +
+                      "(<https://github.com/${{ github.repository }}/commit/${{ github.sha }}|" + "${{ github.sha }}".substring(0, 10) + ">) " +
+                      "of ${{ github.repository }}@" + "${{ github.ref }}".split('/').reverse()[0] + " by ${{ github.event.head_commit.committer.name }}",
+              "color": "danger"
+            }]
+          }
+      env:
+        SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
+      if: failure() && github.event_name == 'push'

.github/workflows/cross-freebsd.yml

@@ -0,0 +1,53 @@
+name: FreeBSD-Cross
+
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+    branches:
+      - '*'
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+
+    if: "!contains(github.event.head_commit.message, '[ci skip]')"
+
+    steps:
+
+    - name: Set up Go
+      uses: actions/setup-go@v1
+      with:
+        go-version: 1.14
+      id: go
+
+    - name: Check out code into the Go module directory
+      uses: actions/checkout@v1
+
+    - name: FreeBSD build cmd
+      env:
+        GOOS: freebsd
+        GOARCH: amd64
+      run: go build ./cmd/...
+
+    - name: FreeBSD build tests
+      env:
+        GOOS: freebsd
+        GOARCH: amd64
+      run: for d in $(go list -f '{{if .TestGoFiles}}{{.Dir}}{{end}}' ./... ); do (echo $d; cd $d && go test -c ); done
+
+    - uses: k0kubun/action-slack@v2.0.0
+      with:
+        payload: |
+          {
+            "attachments": [{
+              "text": "${{ job.status }}: ${{ github.workflow }} <https://github.com/${{ github.repository }}/commit/${{ github.sha }}/checks|${{ env.COMMIT_DATE }} #${{ env.COMMIT_NUMBER_OF_DAY }}> " +
+                      "(<https://github.com/${{ github.repository }}/commit/${{ github.sha }}|" + "${{ github.sha }}".substring(0, 10) + ">) " +
+                      "of ${{ github.repository }}@" + "${{ github.ref }}".split('/').reverse()[0] + " by ${{ github.event.head_commit.committer.name }}",
+              "color": "danger"
+            }]
+          }
+      env:
+        SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
+      if: failure() && github.event_name == 'push'

.github/workflows/cross-openbsd.yml

@@ -0,0 +1,53 @@
+name: OpenBSD-Cross
+
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+    branches:
+      - '*'
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+
+    if: "!contains(github.event.head_commit.message, '[ci skip]')"
+
+    steps:
+
+    - name: Set up Go
+      uses: actions/setup-go@v1
+      with:
+        go-version: 1.14
+      id: go
+
+    - name: Check out code into the Go module directory
+      uses: actions/checkout@v1
+
+    - name: OpenBSD build cmd
+      env:
+        GOOS: openbsd
+        GOARCH: amd64
+      run: go build ./cmd/...
+
+    - name: OpenBSD build tests
+      env:
+        GOOS: openbsd
+        GOARCH: amd64
+      run: for d in $(go list -f '{{if .TestGoFiles}}{{.Dir}}{{end}}' ./... ); do (echo $d; cd $d && go test -c ); done
+
+    - uses: k0kubun/action-slack@v2.0.0
+      with:
+        payload: |
+          {
+            "attachments": [{
+              "text": "${{ job.status }}: ${{ github.workflow }} <https://github.com/${{ github.repository }}/commit/${{ github.sha }}/checks|${{ env.COMMIT_DATE }} #${{ env.COMMIT_NUMBER_OF_DAY }}> " +
+                      "(<https://github.com/${{ github.repository }}/commit/${{ github.sha }}|" + "${{ github.sha }}".substring(0, 10) + ">) " +
+                      "of ${{ github.repository }}@" + "${{ github.ref }}".split('/').reverse()[0] + " by ${{ github.event.head_commit.committer.name }}",
+              "color": "danger"
+            }]
+          }
+      env:
+        SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
+      if: failure() && github.event_name == 'push'

.github/workflows/cross-windows.yml

@@ -0,0 +1,53 @@
+name: Windows-Cross
+
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+    branches:
+      - '*'
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+
+    if: "!contains(github.event.head_commit.message, '[ci skip]')"
+
+    steps:
+
+    - name: Set up Go
+      uses: actions/setup-go@v1
+      with:
+        go-version: 1.14
+      id: go
+
+    - name: Check out code into the Go module directory
+      uses: actions/checkout@v1
+
+    - name: Windows build cmd
+      env:
+        GOOS: windows
+        GOARCH: amd64
+      run: go build ./cmd/...
+
+    - name: Windows build tests
+      env:
+        GOOS: windows
+        GOARCH: amd64
+      run: for d in $(go list -f '{{if .TestGoFiles}}{{.Dir}}{{end}}' ./... ); do (echo $d; cd $d && go test -c ); done
+
+    - uses: k0kubun/action-slack@v2.0.0
+      with:
+        payload: |
+          {
+            "attachments": [{
+              "text": "${{ job.status }}: ${{ github.workflow }} <https://github.com/${{ github.repository }}/commit/${{ github.sha }}/checks|${{ env.COMMIT_DATE }} #${{ env.COMMIT_NUMBER_OF_DAY }}> " +
+                      "(<https://github.com/${{ github.repository }}/commit/${{ github.sha }}|" + "${{ github.sha }}".substring(0, 10) + ">) " +
+                      "of ${{ github.repository }}@" + "${{ github.ref }}".split('/').reverse()[0] + " by ${{ github.event.head_commit.committer.name }}",
+              "color": "danger"
+            }]
+          }
+      env:
+        SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
+      if: failure() && github.event_name == 'push'

.github/workflows/docker-file-build.yml

@@ -1,15 +0,0 @@
-name: "Dockerfile build"
-on: 
-  push:
-    branches:
-    - main
-  pull_request:
-    branches:
-      - "*"
-jobs:
-  deploy:
-    runs-on: ubuntu-latest
-    steps:
-    - uses: actions/checkout@v3
-    - name: "Build Docker image"
-      run: docker build .

.github/workflows/flakehub-publish-tagged.yml

@@ -1,27 +0,0 @@
-name: update-flakehub
-
-on:
-  push:
-    tags:
-      - "v[0-9]+.*[02468].[0-9]+"
-  workflow_dispatch:
-    inputs:
-      tag:
-        description: "The existing tag to publish to FlakeHub"
-        type: "string"
-        required: true
-jobs:
-  flakehub-publish:
-    runs-on: "ubuntu-latest"
-    permissions:
-      id-token: "write"
-      contents: "read"
-    steps:
-      - uses: "actions/checkout@v3"
-        with:
-          ref: "${{ (inputs.tag != null) && format('refs/tags/{0}', inputs.tag) || '' }}"
-      - uses: "DeterminateSystems/nix-installer-action@main"
-      - uses: "DeterminateSystems/flakehub-push@main"
-        with:
-          visibility: "public"
-          tag: "${{ inputs.tag }}"

.github/workflows/go-licenses.yml

@@ -1,64 +0,0 @@
-name: go-licenses
-
-on:
-  # run action when a change lands in the main branch which updates go.mod or
-  # our license template file. Also allow manual triggering.
-  push:
-    branches:
-      - main
-    paths:
-      - go.mod
-      - .github/licenses.tmpl
-      - .github/workflows/go-licenses.yml
-  workflow_dispatch:
-
-concurrency:
-  group: ${{ github.workflow }}-$${{ github.head_ref || github.run_id }}
-  cancel-in-progress: true
-
-jobs:
-  update-licenses:
-    runs-on: ubuntu-latest
-
-    steps:
-      - name: Check out code
-        uses: actions/checkout@v3
-
-      - name: Set up Go
-        uses: actions/setup-go@v4
-        with:
-          go-version-file: go.mod
-
-      - name: Install go-licenses
-        run: |
-          go install github.com/google/go-licenses@v1.2.2-0.20220825154955-5eedde1c6584
-
-      - name: Run go-licenses
-        env:
-          # include all build tags to include platform-specific dependencies
-          GOFLAGS: "-tags=android,cgo,darwin,freebsd,ios,js,linux,openbsd,wasm,windows"
-        run: |
-          [ -d licenses ] || mkdir licenses
-          go-licenses report tailscale.com/cmd/tailscale tailscale.com/cmd/tailscaled > licenses/tailscale.md --template .github/licenses.tmpl
-
-      - name: Get access token
-        uses: tibdex/github-app-token@b62528385c34dbc9f38e5f4225ac829252d1ea92 # v1.8.0
-        id: generate-token
-        with:
-          app_id: ${{ secrets.LICENSING_APP_ID }}
-          installation_id: ${{ secrets.LICENSING_APP_INSTALLATION_ID }}
-          private_key: ${{ secrets.LICENSING_APP_PRIVATE_KEY }}
-
-      - name: Send pull request
-        uses: peter-evans/create-pull-request@284f54f989303d2699d373481a0cfa13ad5a6666 #v5.0.1
-        with:
-          token: ${{ steps.generate-token.outputs.token }}
-          author: License Updater <noreply+license-updater@tailscale.com>
-          committer: License Updater <noreply+license-updater@tailscale.com>
-          branch: licenses/cli
-          commit-message: "licenses: update tailscale{,d} licenses"
-          title: "licenses: update tailscale{,d} licenses"
-          body: Triggered by ${{ github.repository }}@${{ github.sha }}
-          signoff: true
-          delete-branch: true
-          team-reviewers: opensource-license-reviewers

.github/workflows/golangci-lint.yml

@@ -1,40 +0,0 @@
-name: golangci-lint
-on:
-  # For now, only lint pull requests, not the main branches.
-  pull_request:
-
-  # TODO(andrew): enable for main branch after an initial waiting period.
-  #push:
-  #  branches:
-  #    - main
-
-  workflow_dispatch:
-
-permissions:
-  contents: read
-  pull-requests: read
-
-concurrency:
-  group: ${{ github.workflow }}-$${{ github.head_ref || github.run_id }}
-  cancel-in-progress: true
-
-jobs:
-  golangci:
-    name: lint
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v3
-
-      - uses: actions/setup-go@v4
-        with:
-          go-version-file: go.mod
-          cache: false
-
-      - name: golangci-lint
-        # Note: this is the 'v3' tag as of 2023-04-17
-        uses: golangci/golangci-lint-action@639cd343e1d3b897ff35927a75193d57cfcba299
-        with:
-          version: v1.52.2
-
-          # Show only new issues if it's a pull request.
-          only-new-issues: true

.github/workflows/govulncheck.yml

@@ -1,37 +0,0 @@
-name: govulncheck
-
-on:
-  schedule:
-    - cron: "0 12 * * *" # 8am EST / 10am PST / 12pm UTC
-  workflow_dispatch: # allow manual trigger for testing
-  pull_request:
-    paths:
-      - ".github/workflows/govulncheck.yml"
-
-jobs:
-  source-scan:
-    runs-on: ubuntu-latest
-
-    steps:
-      - name: Check out code into the Go module directory
-        uses: actions/checkout@v3
-
-      - name: Install govulncheck
-        run: ./tool/go install golang.org/x/vuln/cmd/govulncheck@latest
-
-      - name: Scan source code for known vulnerabilities
-        run: PATH=$PWD/tool/:$PATH "$(./tool/go env GOPATH)/bin/govulncheck" -test ./...
-
-      - uses: ruby/action-slack@v3.2.1
-        with:
-          payload: >
-            {
-              "attachments": [{
-                "text": "${{ job.status }}: ${{ github.workflow }} <https://github.com/${{ github.repository }}/commit/${{ github.sha }}/checks>
-                        (<https://github.com/${{ github.repository }}/commit/${{ github.sha }}|commit>) of ${{ github.repository }}@${{ github.ref_name }} by ${{ github.event.head_commit.committer.name }}",
-                "color": "danger"
-              }]
-            }
-        env:
-          SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
-        if: failure() && github.event_name == 'schedule'

.github/workflows/installer.yml

@@ -1,102 +0,0 @@
-name: test installer.sh
-
-on:
-  push:
-    branches:
-      - "main"
-    paths:
-      - scripts/installer.sh
-  pull_request:
-    branches:
-      - "*"
-    paths:
-      - scripts/installer.sh
-
-jobs:
-  test:
-    strategy:
-      # Don't abort the entire matrix if one element fails.
-      fail-fast: false
-      # Don't start all of these at once, which could saturate Github workers.
-      max-parallel: 4
-      matrix:
-        image:
-          # This is a list of Docker images against which we test our installer.
-          # If you find that some of these no longer exist, please feel free
-          # to remove them from the list.
-          # When adding new images, please only use official ones.
-          - "debian:oldstable-slim"
-          - "debian:stable-slim"
-          - "debian:testing-slim"
-          - "debian:sid-slim"
-          - "ubuntu:18.04"
-          - "ubuntu:20.04"
-          - "ubuntu:22.04"
-          - "ubuntu:22.10"
-          - "ubuntu:23.04"
-          - "elementary/docker:stable"
-          - "elementary/docker:unstable"
-          - "parrotsec/core:lts-amd64"
-          - "parrotsec/core:latest"
-          - "kalilinux/kali-rolling"
-          - "kalilinux/kali-dev"
-          - "oraclelinux:9"
-          - "oraclelinux:8"
-          - "fedora:latest"
-          - "rockylinux:8.7"
-          - "rockylinux:9"
-          - "amazonlinux:latest"
-          - "opensuse/leap:latest"
-          - "opensuse/tumbleweed:latest"
-          - "archlinux:latest"
-          - "alpine:3.14"
-          - "alpine:latest"
-          - "alpine:edge"
-        deps:
-          # Run all images installing curl as a dependency.
-          - curl
-        include:
-          # Check a few images with wget rather than curl.
-          - { image: "debian:oldstable-slim", deps: "wget" }
-          - { image: "debian:sid-slim", deps: "wget" }
-          - { image: "ubuntu:23.04", deps: "wget" }
-          # Ubuntu 16.04 also needs apt-transport-https installed.
-          - { image: "ubuntu:16.04", deps: "curl apt-transport-https" }
-          - { image: "ubuntu:16.04", deps: "wget apt-transport-https" }
-    runs-on: ubuntu-latest
-    container:
-      image: ${{ matrix.image }}
-      options: --user root
-    steps:
-    - name: install dependencies (yum)
-      # tar and gzip are needed by the actions/checkout below.
-      run: yum install -y --allowerasing tar gzip ${{ matrix.deps }}
-      if: |
-        contains(matrix.image, 'centos')
-        || contains(matrix.image, 'oraclelinux')
-        || contains(matrix.image, 'fedora')
-        || contains(matrix.image, 'amazonlinux')
-    - name: install dependencies (zypper)
-      # tar and gzip are needed by the actions/checkout below.
-      run: zypper --non-interactive install tar gzip ${{ matrix.deps }}
-      if: contains(matrix.image, 'opensuse')
-    - name: install dependencies (apt-get)
-      run: |
-        apt-get update
-        apt-get install -y ${{ matrix.deps }}
-      if: |
-        contains(matrix.image, 'debian')
-        || contains(matrix.image, 'ubuntu')
-        || contains(matrix.image, 'elementary')
-        || contains(matrix.image, 'parrotsec')
-        || contains(matrix.image, 'kalilinux')
-    - name: checkout
-      uses: actions/checkout@v3
-    - name: run installer
-      run: scripts/installer.sh
-      # Package installation can fail in docker because systemd is not running
-      # as PID 1, so ignore errors at this step. The real check is the
-      # `tailscale --version` command below.
-      continue-on-error: true
-    - name: check tailscale version
-      run: tailscale --version

.github/workflows/license.yml

@@ -0,0 +1,40 @@
+name: license
+
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+    branches:
+      - '*'
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+
+    steps:
+    - name: Set up Go
+      uses: actions/setup-go@v1
+      with:
+        go-version: 1.14
+
+    - name: Check out code
+      uses: actions/checkout@v1
+
+    - name: Run license checker
+      run: ./scripts/check_license_headers.sh .
+
+    - uses: k0kubun/action-slack@v2.0.0
+      with:
+        payload: |
+          {
+            "attachments": [{
+              "text": "${{ job.status }}: ${{ github.workflow }} <https://github.com/${{ github.repository }}/commit/${{ github.sha }}/checks|${{ env.COMMIT_DATE }} #${{ env.COMMIT_NUMBER_OF_DAY }}> " +
+                      "(<https://github.com/${{ github.repository }}/commit/${{ github.sha }}|" + "${{ github.sha }}".substring(0, 10) + ">) " +
+                      "of ${{ github.repository }}@" + "${{ github.ref }}".split('/').reverse()[0] + " by ${{ github.event.head_commit.committer.name }}",
+              "color": "danger"
+            }]
+          }
+      env:
+        SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
+      if: failure() && github.event_name == 'push'

.github/workflows/linux.yml

@@ -0,0 +1,48 @@
+name: Linux
+
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+    branches:
+      - '*'
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+
+    if: "!contains(github.event.head_commit.message, '[ci skip]')"
+
+    steps:
+
+    - name: Set up Go
+      uses: actions/setup-go@v1
+      with:
+        go-version: 1.14
+      id: go
+
+    - name: Check out code into the Go module directory
+      uses: actions/checkout@v1
+
+    - name: Basic build
+      run: go build ./cmd/...
+
+    - name: Run tests on linux
+      run: go test ./...
+
+    - uses: k0kubun/action-slack@v2.0.0
+      with:
+        payload: |
+          {
+            "attachments": [{
+              "text": "${{ job.status }}: ${{ github.workflow }} <https://github.com/${{ github.repository }}/commit/${{ github.sha }}/checks|${{ env.COMMIT_DATE }} #${{ env.COMMIT_NUMBER_OF_DAY }}> " +
+                      "(<https://github.com/${{ github.repository }}/commit/${{ github.sha }}|" + "${{ github.sha }}".substring(0, 10) + ">) " +
+                      "of ${{ github.repository }}@" + "${{ github.ref }}".split('/').reverse()[0] + " by ${{ github.event.head_commit.committer.name }}",
+              "color": "danger"
+            }]
+          }
+      env:
+        SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
+      if: failure() && github.event_name == 'push'
+

.github/workflows/linux32.yml

@@ -0,0 +1,48 @@
+name: Linux 32-bit
+
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+    branches:
+      - '*'
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+
+    if: "!contains(github.event.head_commit.message, '[ci skip]')"
+
+    steps:
+
+    - name: Set up Go
+      uses: actions/setup-go@v1
+      with:
+        go-version: 1.14
+      id: go
+
+    - name: Check out code into the Go module directory
+      uses: actions/checkout@v1
+
+    - name: Basic build
+      run: GOARCH=386 go build ./cmd/...
+
+    - name: Run tests on linux
+      run: GOARCH=386 go test ./...
+
+    - uses: k0kubun/action-slack@v2.0.0
+      with:
+        payload: |
+          {
+            "attachments": [{
+              "text": "${{ job.status }}: ${{ github.workflow }} <https://github.com/${{ github.repository }}/commit/${{ github.sha }}/checks|${{ env.COMMIT_DATE }} #${{ env.COMMIT_NUMBER_OF_DAY }}> " +
+                      "(<https://github.com/${{ github.repository }}/commit/${{ github.sha }}|" + "${{ github.sha }}".substring(0, 10) + ">) " +
+                      "of ${{ github.repository }}@" + "${{ github.ref }}".split('/').reverse()[0] + " by ${{ github.event.head_commit.committer.name }}",
+              "color": "danger"
+            }]
+          }
+      env:
+        SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
+      if: failure() && github.event_name == 'push'
+

.github/workflows/staticcheck.yml

@@ -0,0 +1,46 @@
+name: staticcheck
+
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+    branches:
+      - '*'
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+
+    steps:
+    - name: Set up Go
+      uses: actions/setup-go@v1
+      with:
+        go-version: 1.14
+
+    - name: Check out code
+      uses: actions/checkout@v1
+
+    - name: Run go vet
+      run: go vet ./...
+
+    - name: Print staticcheck version
+      run: go run honnef.co/go/tools/cmd/staticcheck -version
+
+    - name: Run staticcheck
+      run: "go run honnef.co/go/tools/cmd/staticcheck -- $(go list ./... | grep -v tempfork)"
+
+    - uses: k0kubun/action-slack@v2.0.0
+      with:
+        payload: |
+          {
+            "attachments": [{
+              "text": "${{ job.status }}: ${{ github.workflow }} <https://github.com/${{ github.repository }}/commit/${{ github.sha }}/checks|${{ env.COMMIT_DATE }} #${{ env.COMMIT_NUMBER_OF_DAY }}> " +
+                      "(<https://github.com/${{ github.repository }}/commit/${{ github.sha }}|" + "${{ github.sha }}".substring(0, 10) + ">) " +
+                      "of ${{ github.repository }}@" + "${{ github.ref }}".split('/').reverse()[0] + " by ${{ github.event.head_commit.committer.name }}",
+              "color": "danger"
+            }]
+          }
+      env:
+        SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
+      if: failure() && github.event_name == 'push'

.github/workflows/test.yml

@@ -1,503 +0,0 @@
-# This is our main "CI tests" workflow. It runs everything that should run on
-# both PRs and merged commits, and for the latter reports failures to slack.
-name: CI
-
-env:
-  # Our fuzz job, powered by OSS-Fuzz, fails periodically because we upgrade to
-  # new Go versions very eagerly. OSS-Fuzz is a little more conservative, and
-  # ends up being unable to compile our code.
-  #
-  # When this happens, we want to disable the fuzz target until OSS-Fuzz catches
-  # up. However, we also don't want to forget to turn it back on when OSS-Fuzz
-  # can once again build our code.
-  #
-  # This variable toggles the fuzz job between two modes:
-  #  - false: we expect fuzzing to be happy, and should report failure if it's not.
-  #  - true: we expect fuzzing is broken, and should report failure if it start working.
-  TS_FUZZ_CURRENTLY_BROKEN: false
-
-on:
-  push:
-    branches:
-      - "main"
-      - "release-branch/*"
-  pull_request:
-    branches:
-      - "*"
-  merge_group:
-    branches:
-      - "main"
-
-concurrency:
-  # For PRs, later CI runs preempt previous ones. e.g. a force push on a PR
-  # cancels running CI jobs and starts all new ones.
-  #
-  # For non-PR pushes, concurrency.group needs to be unique for every distinct
-  # CI run we want to have happen. Use run_id, which in practice means all
-  # non-PR CI runs will be allowed to run without preempting each other.
-  group: ${{ github.workflow }}-$${{ github.pull_request.number || github.run_id }}
-  cancel-in-progress: true
-
-jobs:
-  test:
-    strategy:
-      fail-fast: false # don't abort the entire matrix if one element fails
-      matrix:
-        include:
-          - goarch: amd64
-          - goarch: amd64
-            buildflags: "-race"
-          - goarch: "386" # thanks yaml
-    runs-on: ubuntu-22.04
-    steps:
-    - name: checkout
-      uses: actions/checkout@v3
-    - name: Restore Cache
-      uses: actions/cache@v3
-      with:
-        # Note: unlike the other setups, this is only grabbing the mod download
-        # cache, rather than the whole mod directory, as the download cache
-        # contains zips that can be unpacked in parallel faster than they can be
-        # fetched and extracted by tar
-        path: |
-          ~/.cache/go-build
-          ~/go/pkg/mod/cache
-          ~\AppData\Local\go-build
-        # The -2- here should be incremented when the scheme of data to be
-        # cached changes (e.g. path above changes).
-        key: ${{ github.job }}-${{ runner.os }}-${{ matrix.goarch }}-${{ matrix.buildflags }}-go-2-${{ hashFiles('**/go.sum') }}-${{ github.run_id }}
-        restore-keys: |
-          ${{ github.job }}-${{ runner.os }}-${{ matrix.goarch }}-${{ matrix.buildflags }}-go-2-${{ hashFiles('**/go.sum') }}
-          ${{ github.job }}-${{ runner.os }}-${{ matrix.goarch }}-${{ matrix.buildflags }}-go-2-
-    - name: build all
-      run: ./tool/go build ${{matrix.buildflags}} ./...
-      env:
-        GOARCH: ${{ matrix.goarch }}
-    - name: build variant CLIs
-      run: |
-        export TS_USE_TOOLCHAIN=1
-        ./build_dist.sh --extra-small ./cmd/tailscaled
-        ./build_dist.sh --box ./cmd/tailscaled
-        ./build_dist.sh --extra-small --box ./cmd/tailscaled
-        rm -f tailscaled
-      env:
-        GOARCH: ${{ matrix.goarch }}
-    - name: get qemu # for tstest/archtest
-      if: matrix.goarch == 'amd64' && matrix.variant == ''
-      run: |
-        sudo apt-get -y update
-        sudo apt-get -y install qemu-user
-    - name: build test wrapper
-      run: ./tool/go build -o /tmp/testwrapper ./cmd/testwrapper
-    - name: test all
-      run: PATH=$PWD/tool:$PATH /tmp/testwrapper ./... ${{matrix.buildflags}}
-      env:
-        GOARCH: ${{ matrix.goarch }}
-    - name: bench all
-      run: PATH=$PWD/tool:$PATH /tmp/testwrapper ./... ${{matrix.buildflags}} -bench=. -benchtime=1x -run=^$ 
-      env:
-        GOARCH: ${{ matrix.goarch }}
-    - name: check that no tracked files changed
-      run: git diff --no-ext-diff --name-only --exit-code || (echo "Build/test modified the files above."; exit 1)
-    - name: check that no new files were added
-      run: |
-        # Note: The "error: pathspec..." you see below is normal!
-        # In the success case in which there are no new untracked files,
-        # git ls-files complains about the pathspec not matching anything.
-        # That's OK. It's not worth the effort to suppress. Please ignore it.
-        if git ls-files --others --exclude-standard --directory --no-empty-directory --error-unmatch -- ':/*'
-        then
-          echo "Build/test created untracked files in the repo (file names above)."
-          exit 1
-        fi
-
-  windows:
-    runs-on: windows-2022
-    steps:
-    - name: checkout
-      uses: actions/checkout@v3
-
-    - name: Install Go
-      uses: actions/setup-go@v4
-      with:
-        go-version-file: go.mod
-        cache: false
-
-    - name: Restore Cache
-      uses: actions/cache@v3
-      with:
-        # Note: unlike the other setups, this is only grabbing the mod download
-        # cache, rather than the whole mod directory, as the download cache
-        # contains zips that can be unpacked in parallel faster than they can be
-        # fetched and extracted by tar
-        path: |
-          ~/.cache/go-build
-          ~/go/pkg/mod/cache
-          ~\AppData\Local\go-build
-        # The -2- here should be incremented when the scheme of data to be
-        # cached changes (e.g. path above changes).
-        key: ${{ github.job }}-${{ runner.os }}-go-2-${{ hashFiles('**/go.sum') }}-${{ github.run_id }}
-        restore-keys: |
-          ${{ github.job }}-${{ runner.os }}-go-2-${{ hashFiles('**/go.sum') }}
-          ${{ github.job }}-${{ runner.os }}-go-2-
-    - name: test
-      # Don't use -bench=. -benchtime=1x.
-      # Somewhere in the layers (powershell?)
-      # the equals signs cause great confusion.
-      run: go run ./cmd/testwrapper ./... -bench . -benchtime 1x
-
-  vm:
-    runs-on: ["self-hosted", "linux", "vm"]
-    # VM tests run with some privileges, don't let them run on 3p PRs.
-    if: github.repository == 'tailscale/tailscale'
-    steps:
-    - name: checkout
-      uses: actions/checkout@v3
-    - name: Run VM tests
-      run: ./tool/go test ./tstest/integration/vms -v -no-s3 -run-vm-tests -run=TestRunUbuntu2004
-      env:
-        HOME: "/tmp"
-        TMPDIR: "/tmp"
-        XDB_CACHE_HOME: "/var/lib/ghrunner/cache"
-  
-  cross: # cross-compile checks, build only.
-    strategy:
-      fail-fast: false # don't abort the entire matrix if one element fails
-      matrix:
-        include:
-          # Note: linux/amd64 is not in this matrix, because that goos/goarch is
-          # tested more exhaustively in the 'test' job above.
-          - goos: linux
-            goarch: arm64
-          - goos: linux
-            goarch: "386" # thanks yaml
-          - goos: linux
-            goarch: loong64
-          - goos: linux
-            goarch: arm
-            goarm: "5"
-          - goos: linux
-            goarch: arm
-            goarm: "7"
-          # macOS
-          - goos: darwin
-            goarch: amd64
-          - goos: darwin
-            goarch: arm64
-          # Windows
-          - goos: windows
-            goarch: amd64
-          - goos: windows
-            goarch: arm64
-          # BSDs
-          - goos: freebsd
-            goarch: amd64
-          - goos: openbsd
-            goarch: amd64
-          # Plan9
-          - goos: plan9
-            goarch: amd64
-
-    runs-on: ubuntu-22.04
-    steps:
-    - name: checkout
-      uses: actions/checkout@v3
-    - name: Restore Cache
-      uses: actions/cache@v3
-      with:
-        # Note: unlike the other setups, this is only grabbing the mod download
-        # cache, rather than the whole mod directory, as the download cache
-        # contains zips that can be unpacked in parallel faster than they can be
-        # fetched and extracted by tar
-        path: |
-          ~/.cache/go-build
-          ~/go/pkg/mod/cache
-          ~\AppData\Local\go-build
-        # The -2- here should be incremented when the scheme of data to be
-        # cached changes (e.g. path above changes).
-        key: ${{ github.job }}-${{ runner.os }}-${{ matrix.goos }}-${{ matrix.goarch }}-go-2-${{ hashFiles('**/go.sum') }}-${{ github.run_id }}
-        restore-keys: |
-          ${{ github.job }}-${{ runner.os }}-${{ matrix.goos }}-${{ matrix.goarch }}-go-2-${{ hashFiles('**/go.sum') }}
-          ${{ github.job }}-${{ runner.os }}-${{ matrix.goos }}-${{ matrix.goarch }}-go-2-
-    - name: build all
-      run: ./tool/go build ./cmd/...
-      env:
-        GOOS: ${{ matrix.goos }}
-        GOARCH: ${{ matrix.goarch }}
-        GOARM: ${{ matrix.goarm }}
-        CGO_ENABLED: "0"
-    - name: build tests
-      run: ./tool/go test -exec=true ./...
-      env:
-        GOOS: ${{ matrix.goos }}
-        GOARCH: ${{ matrix.goarch }}
-        CGO_ENABLED: "0"
-
-  ios: # similar to cross above, but iOS can't build most of the repo. So, just
-       #make it build a few smoke packages.
-    runs-on: ubuntu-22.04
-    steps:
-    - name: checkout
-      uses: actions/checkout@v3
-    - name: build some
-      run: ./tool/go build ./ipn/... ./wgengine/ ./types/... ./control/controlclient
-      env:
-        GOOS: ios
-        GOARCH: arm64
-
-  android:
-    # similar to cross above, but android fails to build a few pieces of the
-    # repo. We should fix those pieces, they're small, but as a stepping stone,
-    # only test the subset of android that our past smoke test checked.
-    runs-on: ubuntu-22.04
-    steps:
-    - name: checkout
-      uses: actions/checkout@v3
-      # Super minimal Android build that doesn't even use CGO and doesn't build everything that's needed
-      # and is only arm64. But it's a smoke build: it's not meant to catch everything. But it'll catch
-      # some Android breakages early.
-      # TODO(bradfitz): better; see https://github.com/tailscale/tailscale/issues/4482
-    - name: build some
-      run: ./tool/go install ./net/netns ./ipn/ipnlocal ./wgengine/magicsock/ ./wgengine/ ./wgengine/router/ ./wgengine/netstack ./util/dnsname/ ./ipn/ ./net/interfaces ./wgengine/router/ ./tailcfg/ ./types/logger/ ./net/dns ./hostinfo ./version
-      env:
-        GOOS: android
-        GOARCH: arm64
-
-  wasm: # builds tsconnect, which is the only wasm build we support
-    runs-on: ubuntu-22.04
-    steps:
-    - name: checkout
-      uses: actions/checkout@v3
-    - name: Restore Cache
-      uses: actions/cache@v3
-      with:
-        # Note: unlike the other setups, this is only grabbing the mod download
-        # cache, rather than the whole mod directory, as the download cache
-        # contains zips that can be unpacked in parallel faster than they can be
-        # fetched and extracted by tar
-        path: |
-          ~/.cache/go-build
-          ~/go/pkg/mod/cache
-          ~\AppData\Local\go-build
-        # The -2- here should be incremented when the scheme of data to be
-        # cached changes (e.g. path above changes).
-        key: ${{ github.job }}-${{ runner.os }}-go-2-${{ hashFiles('**/go.sum') }}-${{ github.run_id }}
-        restore-keys: |
-          ${{ github.job }}-${{ runner.os }}-go-2-${{ hashFiles('**/go.sum') }}
-          ${{ github.job }}-${{ runner.os }}-go-2-
-    - name: build tsconnect client
-      run: ./tool/go build ./cmd/tsconnect/wasm ./cmd/tailscale/cli
-      env:
-        GOOS: js
-        GOARCH: wasm
-    - name: build tsconnect server
-      # Note, no GOOS/GOARCH in env on this build step, we're running a build
-      # tool that handles the build itself.
-      run: |
-        ./tool/go run ./cmd/tsconnect --fast-compression build
-        ./tool/go run ./cmd/tsconnect --fast-compression build-pkg
-
-  tailscale_go: # Subset of tests that depend on our custom Go toolchain.
-    runs-on: ubuntu-22.04
-    steps:
-    - name: checkout
-      uses: actions/checkout@v3
-    - name: test tailscale_go
-      run: ./tool/go test -tags=tailscale_go,ts_enable_sockstats ./net/sockstats/...
-
-
-  fuzz:
-    # This target periodically breaks (see TS_FUZZ_CURRENTLY_BROKEN at the top
-    # of the file), so it's more complex than usual: the 'build fuzzers' step
-    # might fail, and depending on the value of 'TS_FUZZ_CURRENTLY_BROKEN', that
-    # might or might not be fine. The steps after the build figure out whether
-    # the success/failure is expected, and appropriately pass/fail the job
-    # overall accordingly.
-    #
-    # Practically, this means that all steps after 'build fuzzers' must have an
-    # explicit 'if' condition, because the default condition for steps is
-    # 'success()', meaning "only run this if no previous steps failed".
-    if: github.event_name == 'pull_request'
-    runs-on: ubuntu-22.04
-    steps:
-    - name: build fuzzers
-      id: build
-      uses: google/oss-fuzz/infra/cifuzz/actions/build_fuzzers@master
-      # continue-on-error makes steps.build.conclusion be 'success' even if
-      # steps.build.outcome is 'failure'. This means this step does not
-      # contribute to the job's overall pass/fail evaluation.
-      continue-on-error: true
-      with:
-       oss-fuzz-project-name: 'tailscale'
-       dry-run: false
-       language: go
-    - name: report unexpectedly broken fuzz build
-      if: steps.build.outcome == 'failure' && env.TS_FUZZ_CURRENTLY_BROKEN != 'true'
-      run: |
-        echo "fuzzer build failed, see above for why"
-        echo "if the failure is due to OSS-Fuzz not being on the latest Go yet,"
-        echo "set TS_FUZZ_CURRENTLY_BROKEN=true in .github/workflows/test.yml"
-        echo "to temporarily disable fuzzing until OSS-Fuzz works again."
-        exit 1
-    - name: report unexpectedly working fuzz build
-      if: steps.build.outcome == 'success' && env.TS_FUZZ_CURRENTLY_BROKEN == 'true'
-      run: |
-        echo "fuzzer build succeeded, but we expect it to be broken"
-        echo "please set TS_FUZZ_CURRENTLY_BROKEN=false in .github/workflows/test.yml"
-        echo "to reenable fuzz testing"
-        exit 1
-    - name: run fuzzers
-      id: run
-      # Run the fuzzers whenever they're able to build, even if we're going to
-      # report a failure because TS_FUZZ_CURRENTLY_BROKEN is set to the wrong
-      # value.
-      if: steps.build.outcome == 'success'
-      uses: google/oss-fuzz/infra/cifuzz/actions/run_fuzzers@master
-      with:
-        oss-fuzz-project-name: 'tailscale'
-        fuzz-seconds: 300
-        dry-run: false
-        language: go
-    - name: upload crash
-      uses: actions/upload-artifact@v3
-      if: steps.run.outcome != 'success' && steps.build.outcome == 'success'
-      with:
-        name: artifacts
-        path: ./out/artifacts
-
-  depaware:
-    runs-on: ubuntu-22.04
-    steps:
-    - name: checkout
-      uses: actions/checkout@v3
-    - name: check depaware
-      run: |
-        export PATH=$(./tool/go env GOROOT)/bin:$PATH
-        find . -name 'depaware.txt' | xargs -n1 dirname | xargs ./tool/go run github.com/tailscale/depaware --check
-
-  go_generate:
-    runs-on: ubuntu-22.04
-    steps:
-    - name: checkout
-      uses: actions/checkout@v3
-    - name: check that 'go generate' is clean
-      run: |
-        pkgs=$(./tool/go list ./... | grep -v dnsfallback)
-        ./tool/go generate $pkgs
-        echo
-        echo
-        git diff --name-only --exit-code || (echo "The files above need updating. Please run 'go generate'."; exit 1)
-
-  go_mod_tidy:
-    runs-on: ubuntu-22.04
-    steps:
-    - name: checkout
-      uses: actions/checkout@v3
-    - name: check that 'go mod tidy' is clean
-      run: |
-        ./tool/go mod tidy
-        echo
-        echo
-        git diff --name-only --exit-code || (echo "Please run 'go mod tidy'."; exit 1)
-
-  licenses:
-    runs-on: ubuntu-22.04
-    steps:
-    - name: checkout
-      uses: actions/checkout@v3
-    - name: check licenses
-      run: ./scripts/check_license_headers.sh .
-
-  staticcheck:
-    runs-on: ubuntu-22.04
-    strategy:
-      fail-fast: false # don't abort the entire matrix if one element fails
-      matrix:
-        goos: ["linux", "windows", "darwin"]
-        goarch: ["amd64"]
-        include:
-          - goos: "windows"
-            goarch: "386"
-    steps:
-    - name: checkout
-      uses: actions/checkout@v3
-    - name: install staticcheck
-      run: GOBIN=~/.local/bin ./tool/go install honnef.co/go/tools/cmd/staticcheck
-    - name: run staticcheck
-      run: |
-        export GOROOT=$(./tool/go env GOROOT)
-        export PATH=$GOROOT/bin:$PATH
-        staticcheck -- $(./tool/go list ./... | grep -v tempfork)
-      env:
-        GOOS: ${{ matrix.goos }}
-        GOARCH: ${{ matrix.goarch }}
-
-  notify_slack:
-    if: always()
-    # Any of these jobs failing causes a slack notification.
-    needs: 
-      - android
-      - test
-      - windows
-      - vm
-      - cross
-      - ios
-      - wasm
-      - tailscale_go
-      - fuzz
-      - depaware
-      - go_generate
-      - go_mod_tidy
-      - licenses
-      - staticcheck
-    runs-on: ubuntu-22.04
-    steps:
-    - name: notify  
-      # Only notify slack for merged commits, not PR failures.
-      #
-      # It may be tempting to move this condition into the job's 'if' block, but
-      # don't: Github only collapses the test list into "everything is OK" if
-      # all jobs succeeded. A skipped job results in the list staying expanded.
-      # By having the job always run, but skipping its only step as needed, we
-      # let the CI output collapse nicely in PRs.
-      if: failure() && github.event_name == 'push'
-      uses: ruby/action-slack@v3.2.1
-      with:
-        payload: |
-          {
-            "attachments": [{
-              "title": "Failure: ${{ github.workflow }}",
-              "title_link": "https://github.com/${{ github.repository }}/commit/${{ github.sha }}/checks",         
-              "text": "${{ github.repository }}@${{ github.ref_name }}: <https://github.com/${{ github.repository }}/commit/${{ github.sha }}|${{ github.sha }}>",
-              "fields": [{ "value": ${{ toJson(github.event.head_commit.message) }}, "short": false }],
-              "footer": "${{ github.event.head_commit.committer.name }} at ${{ github.event.head_commit.timestamp }}",
-              "color": "danger"
-            }]
-          }
-      env:
-        SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
-
-  check_mergeability:
-    if: always()
-    runs-on: ubuntu-22.04
-    needs:
-      - android
-      - test
-      - windows
-      - vm
-      - cross
-      - ios
-      - wasm
-      - tailscale_go
-      - fuzz
-      - depaware
-      - go_generate
-      - go_mod_tidy
-      - licenses
-      - staticcheck
-    steps:
-    - name: Decide if change is okay to merge
-      if: github.event_name != 'push'
-      uses: re-actors/alls-green@release/v1
-      with:
-        jobs: ${{ toJSON(needs) }}

.github/workflows/update-flake.yml

@@ -1,49 +0,0 @@
-name: update-flake
-
-on:
-  # run action when a change lands in the main branch which updates go.mod. Also
-  # allow manual triggering.
-  push:
-    branches:
-      - main
-    paths:
-      - go.mod
-      - .github/workflows/update-flakes.yml
-  workflow_dispatch:
-
-concurrency:
-  group: ${{ github.workflow }}-$${{ github.head_ref || github.run_id }}
-  cancel-in-progress: true
-
-jobs:
-  update-flake:
-    runs-on: ubuntu-latest
-
-    steps:
-      - name: Check out code
-        uses: actions/checkout@v3
-
-      - name: Run update-flakes
-        run: ./update-flake.sh
-
-      - name: Get access token
-        uses: tibdex/github-app-token@b62528385c34dbc9f38e5f4225ac829252d1ea92 # v1.8.0
-        id: generate-token
-        with:
-          app_id: ${{ secrets.LICENSING_APP_ID }}
-          installation_id: ${{ secrets.LICENSING_APP_INSTALLATION_ID }}
-          private_key: ${{ secrets.LICENSING_APP_PRIVATE_KEY }}
-
-      - name: Send pull request
-        uses: peter-evans/create-pull-request@284f54f989303d2699d373481a0cfa13ad5a6666 #v5.0.1
-        with:
-          token: ${{ steps.generate-token.outputs.token }}
-          author: Flakes Updater <noreply+flakes-updater@tailscale.com>
-          committer: Flakes Updater <noreply+flakes-updater@tailscale.com>
-          branch: flakes
-          commit-message: "go.mod.sri: update SRI hash for go.mod changes"
-          title: "go.mod.sri: update SRI hash for go.mod changes"
-          body: Triggered by ${{ github.repository }}@${{ github.sha }}
-          signoff: true
-          delete-branch: true
-          reviewers: danderson

.gitignore

@@ -1,12 +1,12 @@
 # Binaries for programs and plugins
 *~
-*.tmp
 *.exe
 *.dll
 *.so
 *.dylib
-*.spk
 
+cmd/relaynode/relaynode
+cmd/taillogin/taillogin
 cmd/tailscale/tailscale
 cmd/tailscaled/tailscaled
 
@@ -18,27 +18,3 @@ cmd/tailscaled/tailscaled
 
 # Dependency directories (remove the comment below to include it)
 # vendor/
-
-# direnv config, this may be different for other people so it's probably safer
-# to make this nonspecific.
-.envrc
-
-# Ignore personal VS Code settings
-.vscode/
-
-# Support personal project-specific GOPATH
-.gopath/
-
-# Ignore nix build result path
-/result
-
-# Ignore direnv nix-shell environment cache
-.direnv/
-
-# Ignore web client node modules
-.vite/
-client/web/node_modules
-client/web/build
-
-/gocross
-/dist

.golangci.yml

@@ -1,61 +0,0 @@
-linters:
-  # Don't enable any linters by default; just the ones that we explicitly
-  # enable in the list below.
-  disable-all: true
-  enable:
-    - bidichk
-    - gofmt
-    - goimports
-    - misspell
-    - revive
-
-# Configuration for how we run golangci-lint
-run:
-  timeout: 5m
-
-issues:
-  # Excluding configuration per-path, per-linter, per-text and per-source
-  exclude-rules:
-    # These are forks of an upstream package and thus are exempt from stylistic
-    # changes that would make pulling in upstream changes harder.
-    - path: tempfork/.*\.go
-      text: "File is not `gofmt`-ed with `-s` `-r 'interface{} -> any'`"
-    - path: util/singleflight/.*\.go
-      text: "File is not `gofmt`-ed with `-s` `-r 'interface{} -> any'`"
-
-# Per-linter settings are contained in this top-level key
-linters-settings:
-  # Enable all rules by default; we don't use invisible unicode runes.
-  bidichk:
-
-  gofmt:
-    rewrite-rules:
-      - pattern: 'interface{}'
-        replacement: 'any'
-
-  goimports:
-
-  misspell:
-
-  revive:
-    enable-all-rules: false
-    ignore-generated-header: true
-    rules:
-      - name: atomic
-      - name: context-keys-type
-      - name: defer
-        arguments: [[
-          # Calling 'recover' at the time a defer is registered (i.e. "defer recover()") has no effect.
-          "immediate-recover",
-          # Calling 'recover' outside of a deferred function has no effect
-          "recover",
-          # Returning values from a deferred function has no effect
-          "return",
-        ]]
-      - name: duplicated-imports
-      - name: errorf
-      - name: string-of-int
-      - name: time-equal
-      - name: unconditional-recursion
-      - name: useless-break
-      - name: waitgroup-by-value

ALPINE.txt

@@ -1 +0,0 @@
-3.16

CODEOWNERS

@@ -1 +0,0 @@
-/tailcfg/ @tailscale/control-protocol-owners

Dockerfile

@@ -1,26 +1,16 @@
-# Copyright (c) Tailscale Inc & AUTHORS
-# SPDX-License-Identifier: BSD-3-Clause
-
-############################################################################
-#
-# WARNING: Tailscale is not yet officially supported in container
-# environments, such as Docker and Kubernetes. Though it should work, we
-# don't regularly test it, and we know there are some feature limitations.
-#
-# See current bugs tagged "containers":
-#    https://github.com/tailscale/tailscale/labels/containers
-#
-############################################################################
+# Copyright (c) 2020 Tailscale Inc & AUTHORS All rights reserved.
+# Use of this source code is governed by a BSD-style
+# license that can be found in the LICENSE file.
 
 # This Dockerfile includes all the tailscale binaries.
 #
 # To build the Dockerfile:
 #
-#     $ docker build -t tailscale/tailscale .
+#     $ docker build -t tailscale:tailscale .
 #
 # To run the tailscaled agent:
 #
-#     $ docker run -d --name=tailscaled -v /var/lib:/var/lib -v /dev/net/tun:/dev/net/tun --network=host --privileged tailscale/tailscale tailscaled
+#     $ docker run -d --name=tailscaled -v /var/lib:/var/lib -v /dev/net/tun:/dev/net/tun --network=host --privileged tailscale:tailscale tailscaled
 #
 # To then log in:
 #
@@ -31,45 +21,18 @@
 #     $ docker exec tailscaled tailscale status
 
 
-FROM golang:1.21-alpine AS build-env
+FROM golang:1.14-alpine AS build-env
 
 WORKDIR /go/src/tailscale
 
-COPY go.mod go.sum ./
+COPY go.mod .
+COPY go.sum .
 RUN go mod download
 
-# Pre-build some stuff before the following COPY line invalidates the Docker cache.
-RUN go install \
-    github.com/aws/aws-sdk-go-v2/aws \
-    github.com/aws/aws-sdk-go-v2/config \
-    gvisor.dev/gvisor/pkg/tcpip/adapters/gonet \
-    gvisor.dev/gvisor/pkg/tcpip/stack \
-    golang.org/x/crypto/ssh \
-    golang.org/x/crypto/acme \
-    nhooyr.io/websocket \
-    github.com/mdlayher/netlink
-
 COPY . .
 
-# see build_docker.sh
-ARG VERSION_LONG=""
-ENV VERSION_LONG=$VERSION_LONG
-ARG VERSION_SHORT=""
-ENV VERSION_SHORT=$VERSION_SHORT
-ARG VERSION_GIT_HASH=""
-ENV VERSION_GIT_HASH=$VERSION_GIT_HASH
-ARG TARGETARCH
-
-RUN GOARCH=$TARGETARCH go install -ldflags="\
-      -X tailscale.com/version.longStamp=$VERSION_LONG \
-      -X tailscale.com/version.shortStamp=$VERSION_SHORT \
-      -X tailscale.com/version.gitCommitStamp=$VERSION_GIT_HASH" \
-      -v ./cmd/tailscale ./cmd/tailscaled ./cmd/containerboot
-
-FROM alpine:3.16
-RUN apk add --no-cache ca-certificates iptables iproute2 ip6tables
+RUN go install -v ./cmd/...
 
+FROM alpine:3.11
+RUN apk add --no-cache ca-certificates iptables iproute2
 COPY --from=build-env /go/bin/* /usr/local/bin/
-# For compat with the previous run.sh, although ideally you should be
-# using build_docker.sh which sets an entrypoint for the image.
-RUN mkdir /tailscale && ln -s /usr/local/bin/containerboot /tailscale/run.sh

Dockerfile.base

@@ -1,5 +0,0 @@
-# Copyright (c) Tailscale Inc & AUTHORS
-# SPDX-License-Identifier: BSD-3-Clause
-
-FROM alpine:3.16
-RUN apk add --no-cache ca-certificates iptables iproute2 ip6tables iputils

LICENSE

@@ -1,28 +1,27 @@
-BSD 3-Clause License
-
-Copyright (c) 2020 Tailscale Inc & AUTHORS.
+Copyright (c) 2020 Tailscale & AUTHORS. All rights reserved.
 
 Redistribution and use in source and binary forms, with or without
-modification, are permitted provided that the following conditions are met:
+modification, are permitted provided that the following conditions are
+met:
 
-1. Redistributions of source code must retain the above copyright notice, this
-   list of conditions and the following disclaimer.
+   * Redistributions of source code must retain the above copyright
+notice, this list of conditions and the following disclaimer.
+   * Redistributions in binary form must reproduce the above
+copyright notice, this list of conditions and the following disclaimer
+in the documentation and/or other materials provided with the
+distribution.
+   * Neither the name of Tailscale Inc. nor the names of its
+contributors may be used to endorse or promote products derived from
+this software without specific prior written permission.
 
-2. Redistributions in binary form must reproduce the above copyright notice,
-   this list of conditions and the following disclaimer in the documentation
-   and/or other materials provided with the distribution.
-
-3. Neither the name of the copyright holder nor the names of its
-   contributors may be used to endorse or promote products derived from
-   this software without specific prior written permission.
-
-THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
-AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
-DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE
-FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
-DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
-SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
-CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
-OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+"AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
 OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

Makefile

@@ -1,86 +1,7 @@
-IMAGE_REPO ?= tailscale/tailscale
-SYNO_ARCH ?= "amd64"
-SYNO_DSM ?= "7"
+usage:
+	echo "See Makefile"
 
-vet: ## Run go vet
-	./tool/go vet ./...
+check: staticcheck
 
-tidy: ## Run go mod tidy
-	./tool/go mod tidy
-
-updatedeps: ## Update depaware deps
-	# depaware (via x/tools/go/packages) shells back to "go", so make sure the "go"
-	# it finds in its $$PATH is the right one.
-	PATH="$$(./tool/go env GOROOT)/bin:$$PATH" ./tool/go run github.com/tailscale/depaware --update \
-		tailscale.com/cmd/tailscaled \
-		tailscale.com/cmd/tailscale \
-		tailscale.com/cmd/derper
-
-depaware: ## Run depaware checks
-	# depaware (via x/tools/go/packages) shells back to "go", so make sure the "go"
-	# it finds in its $$PATH is the right one.
-	PATH="$$(./tool/go env GOROOT)/bin:$$PATH" ./tool/go run github.com/tailscale/depaware --check \
-		tailscale.com/cmd/tailscaled \
-		tailscale.com/cmd/tailscale \
-		tailscale.com/cmd/derper
-
-buildwindows: ## Build tailscale CLI for windows/amd64
-	GOOS=windows GOARCH=amd64 ./tool/go install tailscale.com/cmd/tailscale tailscale.com/cmd/tailscaled
-
-build386: ## Build tailscale CLI for linux/386
-	GOOS=linux GOARCH=386 ./tool/go install tailscale.com/cmd/tailscale tailscale.com/cmd/tailscaled
-
-buildlinuxarm: ## Build tailscale CLI for linux/arm
-	GOOS=linux GOARCH=arm ./tool/go install tailscale.com/cmd/tailscale tailscale.com/cmd/tailscaled
-
-buildwasm: ## Build tailscale CLI for js/wasm
-	GOOS=js GOARCH=wasm ./tool/go install ./cmd/tsconnect/wasm ./cmd/tailscale/cli
-
-buildplan9:
-	GOOS=plan9 GOARCH=amd64 ./tool/go install ./cmd/tailscale ./cmd/tailscaled
-
-buildlinuxloong64: ## Build tailscale CLI for linux/loong64
-	GOOS=linux GOARCH=loong64 ./tool/go install tailscale.com/cmd/tailscale tailscale.com/cmd/tailscaled
-
-buildmultiarchimage: ## Build (and optionally push) multiarch docker image
-	./build_docker.sh
-
-check: staticcheck vet depaware buildwindows build386 buildlinuxarm buildwasm ## Perform basic checks and compilation tests
-
-staticcheck: ## Run staticcheck.io checks
-	./tool/go run honnef.co/go/tools/cmd/staticcheck -- $$(./tool/go list ./... | grep -v tempfork)
-
-spk: ## Build synology package for ${SYNO_ARCH} architecture and ${SYNO_DSM} DSM version
-	./tool/go run ./cmd/dist build synology/dsm${SYNO_DSM}/${SYNO_ARCH}
-
-spkall: ## Build synology packages for all architectures and DSM versions
-	./tool/go run ./cmd/dist build synology
-
-pushspk: spk ## Push and install synology package on ${SYNO_HOST} host
-	echo "Pushing SPK to root@${SYNO_HOST} (env var SYNO_HOST) ..."
-	scp tailscale.spk root@${SYNO_HOST}:
-	ssh root@${SYNO_HOST} /usr/syno/bin/synopkg install tailscale.spk
-
-publishdevimage: ## Build and publish tailscale image to location specified by ${REPO}
-	@test -n "${REPO}" || (echo "REPO=... required; e.g. REPO=ghcr.io/${USER}/tailscale" && exit 1)
-	@test "${REPO}" != "tailscale/tailscale" || (echo "REPO=... must not be tailscale/tailscale" && exit 1)
-	@test "${REPO}" != "ghcr.io/tailscale/tailscale" || (echo "REPO=... must not be ghcr.io/tailscale/tailscale" && exit 1)
-	@test "${REPO}" != "tailscale/k8s-operator" || (echo "REPO=... must not be tailscale/k8s-operator" && exit 1)
-	@test "${REPO}" != "ghcr.io/tailscale/k8s-operator" || (echo "REPO=... must not be ghcr.io/tailscale/k8s-operator" && exit 1)
-	TAGS=latest REPOS=${REPO} PUSH=true TARGET=client ./build_docker.sh
-
-publishdevoperator: ## Build and publish k8s-operator image to location specified by ${REPO}
-	@test -n "${REPO}" || (echo "REPO=... required; e.g. REPO=ghcr.io/${USER}/tailscale" && exit 1)
-	@test "${REPO}" != "tailscale/tailscale" || (echo "REPO=... must not be tailscale/tailscale" && exit 1)
-	@test "${REPO}" != "ghcr.io/tailscale/tailscale" || (echo "REPO=... must not be ghcr.io/tailscale/tailscale" && exit 1)
-	@test "${REPO}" != "tailscale/k8s-operator" || (echo "REPO=... must not be tailscale/k8s-operator" && exit 1)
-	@test "${REPO}" != "ghcr.io/tailscale/k8s-operator" || (echo "REPO=... must not be ghcr.io/tailscale/k8s-operator" && exit 1)
-	TAGS=latest REPOS=${REPO} PUSH=true TARGET=operator ./build_docker.sh
-
-help: ## Show this help
-	@echo "\nSpecify a command. The choices are:\n"
-	@grep -hE '^[0-9a-zA-Z_-]+:.*?## .*$$' ${MAKEFILE_LIST} | awk 'BEGIN {FS = ":.*?## "}; {printf "  \033[0;36m%-20s\033[m %s\n", $$1, $$2}'
-	@echo ""
-.PHONY: help
-
-.DEFAULT_GOAL := help
+staticcheck:
+	go run honnef.co/go/tools/cmd/staticcheck -- $$(go list ./... | grep -v tempfork)

README.md

@@ -6,56 +6,27 @@ Private WireGuard® networks made easy
 
 ## Overview
 
-This repository contains the majority of Tailscale's open source code.
-Notably, it includes the `tailscaled` daemon and
-the `tailscale` CLI tool. The `tailscaled` daemon runs on Linux, Windows,
-[macOS](https://tailscale.com/kb/1065/macos-variants/), and to varying degrees
-on FreeBSD and OpenBSD. The Tailscale iOS and Android apps use this repo's
-code, but this repo doesn't contain the mobile GUI code.
+This repository contains all the open source Tailscale code.
+It currently includes the Linux client.
 
-Other [Tailscale repos](https://github.com/orgs/tailscale/repositories) of note:
-
-* the Android app is at https://github.com/tailscale/tailscale-android
-* the Synology package is at https://github.com/tailscale/tailscale-synology
-* the QNAP package is at https://github.com/tailscale/tailscale-qpkg
-* the Chocolatey packaging is at https://github.com/tailscale/tailscale-chocolatey
-
-For background on which parts of Tailscale are open source and why,
-see [https://tailscale.com/opensource/](https://tailscale.com/opensource/).
+The Linux client is currently `cmd/relaynode`, but will
+soon be replaced by `cmd/tailscaled`.
 
 ## Using
 
-We serve packages for a variety of distros and platforms at
-[https://pkgs.tailscale.com](https://pkgs.tailscale.com/).
-
-## Other clients
-
-The [macOS, iOS, and Windows clients](https://tailscale.com/download)
-use the code in this repository but additionally include small GUI
-wrappers. The GUI wrappers on non-open source platforms are themselves
-not open source.
+We serve packages for a variety of distros at
+https://pkgs.tailscale.com .
 
 ## Building
 
-We always require the latest Go release, currently Go 1.21. (While we build
-releases with our [Go fork](https://github.com/tailscale/go/), its use is not
-required.)
-
 ```
 go install tailscale.com/cmd/tailscale{,d}
 ```
 
-If you're packaging Tailscale for distribution, use `build_dist.sh`
-instead, to burn commit IDs and version info into the binaries:
-
-```
-./build_dist.sh tailscale.com/cmd/tailscale
-./build_dist.sh tailscale.com/cmd/tailscaled
-```
-
-If your distro has conventions that preclude the use of
-`build_dist.sh`, please do the equivalent of what it does in your
-distro's way, so that bug reports contain useful version information.
+We only guarantee to support the latest Go release and any Go beta or
+release candidate builds (currently Go 1.14) in module mode. It might
+work in earlier Go versions or in GOPATH mode, but we're making no
+effort to keep those working.
 
 ## Bugs
 
@@ -64,25 +35,19 @@ Please file any issues about this code or the hosted service on
 
 ## Contributing
 
-PRs welcome! But please file bugs. Commit messages should [reference
-bugs](https://docs.github.com/en/github/writing-on-github/autolinked-references-and-urls).
+`under_construction.gif`
+
+PRs welcome, but we are still working out our contribution process and
+tooling.
 
 We require [Developer Certificate of
 Origin](https://en.wikipedia.org/wiki/Developer_Certificate_of_Origin)
 `Signed-off-by` lines in commits.
 
-See `git log` for our commit message style. It's basically the same as
-[Go's style](https://github.com/golang/go/wiki/CommitMessage).
-
 ## About Us
 
-[Tailscale](https://tailscale.com/) is primarily developed by the
-people at https://github.com/orgs/tailscale/people. For other contributors,
-see:
-
-* https://github.com/tailscale/tailscale/graphs/contributors
-* https://github.com/tailscale/tailscale-android/graphs/contributors
-
-## Legal
+We are apenwarr, bradfitz, crawshaw, danderson, dfcarney,
+from Tailscale Inc.
+You can learn more about us from [our website](https://tailscale.com).
 
 WireGuard is a registered trademark of Jason A. Donenfeld.

VERSION.txt

@@ -1 +0,0 @@
-1.49.0

atomicfile/atomicfile.go

@@ -1,5 +1,6 @@
-// Copyright (c) Tailscale Inc & AUTHORS
-// SPDX-License-Identifier: BSD-3-Clause
+// Copyright (c) 2019 Tailscale Inc & AUTHORS All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
 
 // Package atomicfile contains code related to writing to filesystems
 // atomically.
@@ -8,21 +9,16 @@
 package atomicfile // import "tailscale.com/atomicfile"
 
 import (
-	"fmt"
+	"io/ioutil"
 	"os"
 	"path/filepath"
 	"runtime"
 )
 
-// WriteFile writes data to filename+some suffix, then renames it into filename.
-// The perm argument is ignored on Windows. If the target filename already
-// exists but is not a regular file, WriteFile returns an error.
+// WriteFile writes data to filename+some suffix, then renames it
+// into filename.
 func WriteFile(filename string, data []byte, perm os.FileMode) (err error) {
-	fi, err := os.Stat(filename)
-	if err == nil && !fi.Mode().IsRegular() {
-		return fmt.Errorf("%s already exists and is not a regular file", filename)
-	}
-	f, err := os.CreateTemp(filepath.Dir(filename), filepath.Base(filename)+".tmp")
+	f, err := ioutil.TempFile(filepath.Dir(filename), filepath.Base(filename)+".tmp")
 	if err != nil {
 		return err
 	}

atomicfile/atomicfile_test.go

@@ -1,47 +0,0 @@
-// Copyright (c) Tailscale Inc & AUTHORS
-// SPDX-License-Identifier: BSD-3-Clause
-
-//go:build !js && !windows
-
-package atomicfile
-
-import (
-	"net"
-	"os"
-	"path/filepath"
-	"runtime"
-	"strings"
-	"testing"
-)
-
-func TestDoesNotOverwriteIrregularFiles(t *testing.T) {
-	// Per tailscale/tailscale#7658 as one example, almost any imagined use of
-	// atomicfile.Write should likely not attempt to overwrite an irregular file
-	// such as a device node, socket, or named pipe.
-
-	const filename = "TestDoesNotOverwriteIrregularFiles"
-	var path string
-	// macOS private temp does not allow unix socket creation, but /tmp does.
-	if runtime.GOOS == "darwin" {
-		path = filepath.Join("/tmp", filename)
-		t.Cleanup(func() { os.Remove(path) })
-	} else {
-		path = filepath.Join(t.TempDir(), filename)
-	}
-
-	// The least troublesome thing to make that is not a file is a unix socket.
-	// Making a null device sadly requires root.
-	l, err := net.ListenUnix("unix", &net.UnixAddr{Name: path, Net: "unix"})
-	if err != nil {
-		t.Fatal(err)
-	}
-	defer l.Close()
-
-	err = WriteFile(path, []byte("hello"), 0644)
-	if err == nil {
-		t.Fatal("expected error, got nil")
-	}
-	if !strings.Contains(err.Error(), "is not a regular file") {
-		t.Fatalf("unexpected error: %v", err)
-	}
-}

build_dist.sh

@@ -1,52 +0,0 @@
-#!/usr/bin/env sh
-#
-# Runs `go build` with flags configured for binary distribution. All
-# it does differently from `go build` is burn git commit and version
-# information into the binaries, so that we can track down user
-# issues.
-#
-# If you're packaging Tailscale for a distro, please consider using
-# this script, or executing equivalent commands in your
-# distro-specific build system.
-
-set -eu
-
-go="go"
-if [ -n "${TS_USE_TOOLCHAIN:-}" ]; then
-	go="./tool/go"
-fi
-
-eval `CGO_ENABLED=0 GOOS=$($go env GOHOSTOS) GOARCH=$($go env GOHOSTARCH) $go run ./cmd/mkversion`
-
-if [ "$1" = "shellvars" ]; then
-	cat <<EOF
-VERSION_MINOR="$VERSION_MINOR"
-VERSION_SHORT="$VERSION_SHORT"
-VERSION_LONG="$VERSION_LONG"
-VERSION_GIT_HASH="$VERSION_GIT_HASH"
-EOF
-	exit 0
-fi
-
-tags=""
-ldflags="-X tailscale.com/version.longStamp=${VERSION_LONG} -X tailscale.com/version.shortStamp=${VERSION_SHORT}"
-
-# build_dist.sh arguments must precede go build arguments.
-while [ "$#" -gt 1 ]; do
-	case "$1" in
-	--extra-small)
-		shift
-		ldflags="$ldflags -w -s"
-		tags="${tags:+$tags,}ts_omit_aws,ts_omit_bird,ts_omit_tap,ts_omit_kube"
-		;;
-	--box)
-		shift
-		tags="${tags:+$tags,}ts_include_cli"
-		;;
-	*)
-		break
-		;;
-	esac
-done
-
-exec $go build ${tags:+-tags=$tags} -ldflags "$ldflags" "$@"

build_docker.sh

@@ -1,74 +0,0 @@
-#!/usr/bin/env sh
-
-#
-# Runs `go build` with flags configured for docker distribution. All
-# it does differently from `go build` is burn git commit and version
-# information into the binaries inside docker, so that we can track down user
-# issues.
-#
-############################################################################
-#
-# WARNING: Tailscale is not yet officially supported in container
-# environments, such as Docker and Kubernetes. Though it should work, we
-# don't regularly test it, and we know there are some feature limitations.
-#
-# See current bugs tagged "containers":
-#    https://github.com/tailscale/tailscale/labels/containers
-#
-############################################################################
-
-set -eu
-
-# Use the "go" binary from the "tool" directory (which is github.com/tailscale/go)
-export PATH=$PWD/tool:$PATH
-
-eval $(./build_dist.sh shellvars)
-
-DEFAULT_TARGET="client"
-DEFAULT_TAGS="v${VERSION_SHORT},v${VERSION_MINOR}"
-DEFAULT_BASE="tailscale/alpine-base:3.16"
-
-PUSH="${PUSH:-false}"
-TARGET="${TARGET:-${DEFAULT_TARGET}}"
-TAGS="${TAGS:-${DEFAULT_TAGS}}"
-BASE="${BASE:-${DEFAULT_BASE}}"
-
-case "$TARGET" in
-  client)
-    DEFAULT_REPOS="tailscale/tailscale"
-    REPOS="${REPOS:-${DEFAULT_REPOS}}"
-    go run github.com/tailscale/mkctr \
-      --gopaths="\
-        tailscale.com/cmd/tailscale:/usr/local/bin/tailscale, \
-        tailscale.com/cmd/tailscaled:/usr/local/bin/tailscaled, \
-        tailscale.com/cmd/containerboot:/usr/local/bin/containerboot" \
-      --ldflags="\
-        -X tailscale.com/version.longStamp=${VERSION_LONG} \
-        -X tailscale.com/version.shortStamp=${VERSION_SHORT} \
-        -X tailscale.com/version.gitCommitStamp=${VERSION_GIT_HASH}" \
-      --base="${BASE}" \
-      --tags="${TAGS}" \
-      --repos="${REPOS}" \
-      --push="${PUSH}" \
-      /usr/local/bin/containerboot
-    ;;
-  operator)
-    DEFAULT_REPOS="tailscale/k8s-operator"
-    REPOS="${REPOS:-${DEFAULT_REPOS}}"
-    go run github.com/tailscale/mkctr \
-      --gopaths="tailscale.com/cmd/k8s-operator:/usr/local/bin/operator" \
-      --ldflags="\
-        -X tailscale.com/version.longStamp=${VERSION_LONG} \
-        -X tailscale.com/version.shortStamp=${VERSION_SHORT} \
-        -X tailscale.com/version.gitCommitStamp=${VERSION_GIT_HASH}" \
-      --base="${BASE}" \
-      --tags="${TAGS}" \
-      --repos="${REPOS}" \
-      --push="${PUSH}" \
-      /usr/local/bin/operator
-    ;;
-  *)
-    echo "unknown target: $TARGET"
-    exit 1
-    ;;
-esac

chirp/chirp.go

@@ -1,163 +0,0 @@
-// Copyright (c) Tailscale Inc & AUTHORS
-// SPDX-License-Identifier: BSD-3-Clause
-
-// Package chirp implements a client to communicate with the BIRD Internet
-// Routing Daemon.
-package chirp
-
-import (
-	"bufio"
-	"fmt"
-	"net"
-	"strings"
-	"time"
-)
-
-const (
-	// Maximum amount of time we should wait when reading a response from BIRD.
-	responseTimeout = 10 * time.Second
-)
-
-// New creates a BIRDClient.
-func New(socket string) (*BIRDClient, error) {
-	return newWithTimeout(socket, responseTimeout)
-}
-
-func newWithTimeout(socket string, timeout time.Duration) (_ *BIRDClient, err error) {
-	conn, err := net.Dial("unix", socket)
-	if err != nil {
-		return nil, fmt.Errorf("failed to connect to BIRD: %w", err)
-	}
-	defer func() {
-		if err != nil {
-			conn.Close()
-		}
-	}()
-
-	b := &BIRDClient{
-		socket:  socket,
-		conn:    conn,
-		scanner: bufio.NewScanner(conn),
-		timeNow: time.Now,
-		timeout: timeout,
-	}
-	// Read and discard the first line as that is the welcome message.
-	if _, err := b.readResponse(); err != nil {
-		return nil, err
-	}
-	return b, nil
-}
-
-// BIRDClient handles communication with the BIRD Internet Routing Daemon.
-type BIRDClient struct {
-	socket  string
-	conn    net.Conn
-	scanner *bufio.Scanner
-	timeNow func() time.Time
-	timeout time.Duration
-}
-
-// Close closes the underlying connection to BIRD.
-func (b *BIRDClient) Close() error { return b.conn.Close() }
-
-// DisableProtocol disables the provided protocol.
-func (b *BIRDClient) DisableProtocol(protocol string) error {
-	out, err := b.exec("disable %s", protocol)
-	if err != nil {
-		return err
-	}
-	if strings.Contains(out, fmt.Sprintf("%s: already disabled", protocol)) {
-		return nil
-	} else if strings.Contains(out, fmt.Sprintf("%s: disabled", protocol)) {
-		return nil
-	}
-	return fmt.Errorf("failed to disable %s: %v", protocol, out)
-}
-
-// EnableProtocol enables the provided protocol.
-func (b *BIRDClient) EnableProtocol(protocol string) error {
-	out, err := b.exec("enable %s", protocol)
-	if err != nil {
-		return err
-	}
-	if strings.Contains(out, fmt.Sprintf("%s: already enabled", protocol)) {
-		return nil
-	} else if strings.Contains(out, fmt.Sprintf("%s: enabled", protocol)) {
-		return nil
-	}
-	return fmt.Errorf("failed to enable %s: %v", protocol, out)
-}
-
-// BIRD CLI docs from https://bird.network.cz/?get_doc&v=20&f=prog-2.html#ss2.9
-
-// Each session of the CLI consists of a sequence of request and replies,
-// slightly resembling the FTP and SMTP protocols.
-// Requests are commands encoded as a single line of text,
-// replies are sequences of lines starting with a four-digit code
-// followed by either a space (if it's the last line of the reply) or
-// a minus sign (when the reply is going to continue with the next line),
-// the rest of the line contains a textual message semantics of which depends on the numeric code.
-// If a reply line has the same code as the previous one and it's a continuation line,
-// the whole prefix can be replaced by a single white space character.
-//
-// Reply codes starting with 0 stand for ‘action successfully completed’ messages,
-// 1 means ‘table entry’, 8 ‘runtime error’ and 9 ‘syntax error’.
-
-func (b *BIRDClient) exec(cmd string, args ...any) (string, error) {
-	if err := b.conn.SetWriteDeadline(b.timeNow().Add(b.timeout)); err != nil {
-		return "", err
-	}
-	if _, err := fmt.Fprintf(b.conn, cmd, args...); err != nil {
-		return "", err
-	}
-	if _, err := fmt.Fprintln(b.conn); err != nil {
-		return "", err
-	}
-	return b.readResponse()
-}
-
-// hasResponseCode reports whether the provided byte slice is
-// prefixed with a BIRD response code.
-// Equivalent regex: `^\d{4}[ -]`.
-func hasResponseCode(s []byte) bool {
-	if len(s) < 5 {
-		return false
-	}
-	for _, b := range s[:4] {
-		if '0' <= b && b <= '9' {
-			continue
-		}
-		return false
-	}
-	return s[4] == ' ' || s[4] == '-'
-}
-
-func (b *BIRDClient) readResponse() (string, error) {
-	// Set the read timeout before we start reading anything.
-	if err := b.conn.SetReadDeadline(b.timeNow().Add(b.timeout)); err != nil {
-		return "", err
-	}
-
-	var resp strings.Builder
-	var done bool
-	for !done {
-		if !b.scanner.Scan() {
-			if err := b.scanner.Err(); err != nil {
-				return "", err
-			}
-
-			return "", fmt.Errorf("reading response from bird failed (EOF): %q", resp.String())
-		}
-		out := b.scanner.Bytes()
-		if _, err := resp.Write(out); err != nil {
-			return "", err
-		}
-		if hasResponseCode(out) {
-			done = out[4] == ' '
-		}
-		if !done {
-			resp.WriteRune('\n')
-		}
-	}
-	return resp.String(), nil
-}

chirp/chirp_test.go

@@ -1,192 +0,0 @@
-// Copyright (c) Tailscale Inc & AUTHORS
-// SPDX-License-Identifier: BSD-3-Clause
-package chirp
-
-import (
-	"bufio"
-	"errors"
-	"fmt"
-	"net"
-	"os"
-	"path/filepath"
-	"strings"
-	"sync"
-	"testing"
-	"time"
-)
-
-type fakeBIRD struct {
-	net.Listener
-	protocolsEnabled map[string]bool
-	sock             string
-}
-
-func newFakeBIRD(t *testing.T, protocols ...string) *fakeBIRD {
-	sock := filepath.Join(t.TempDir(), "sock")
-	l, err := net.Listen("unix", sock)
-	if err != nil {
-		t.Fatal(err)
-	}
-	pe := make(map[string]bool)
-	for _, p := range protocols {
-		pe[p] = false
-	}
-	return &fakeBIRD{
-		Listener:         l,
-		protocolsEnabled: pe,
-		sock:             sock,
-	}
-}
-
-func (fb *fakeBIRD) listen() error {
-	for {
-		c, err := fb.Accept()
-		if err != nil {
-			if errors.Is(err, net.ErrClosed) {
-				return nil
-			}
-			return err
-		}
-		go fb.handle(c)
-	}
-}
-
-func (fb *fakeBIRD) handle(c net.Conn) {
-	fmt.Fprintln(c, "0001 BIRD 2.0.8 ready.")
-	sc := bufio.NewScanner(c)
-	for sc.Scan() {
-		cmd := sc.Text()
-		args := strings.Split(cmd, " ")
-		switch args[0] {
-		case "enable":
-			en, ok := fb.protocolsEnabled[args[1]]
-			if !ok {
-				fmt.Fprintln(c, "9001 syntax error, unexpected CF_SYM_UNDEFINED, expecting CF_SYM_KNOWN or TEXT or ALL")
-			} else if en {
-				fmt.Fprintf(c, "0010-%s: already enabled\n", args[1])
-			} else {
-				fmt.Fprintf(c, "0011-%s: enabled\n", args[1])
-			}
-			fmt.Fprintln(c, "0000 ")
-			fb.protocolsEnabled[args[1]] = true
-		case "disable":
-			en, ok := fb.protocolsEnabled[args[1]]
-			if !ok {
-				fmt.Fprintln(c, "9001 syntax error, unexpected CF_SYM_UNDEFINED, expecting CF_SYM_KNOWN or TEXT or ALL")
-			} else if !en {
-				fmt.Fprintf(c, "0008-%s: already disabled\n", args[1])
-			} else {
-				fmt.Fprintf(c, "0009-%s: disabled\n", args[1])
-			}
-			fmt.Fprintln(c, "0000 ")
-			fb.protocolsEnabled[args[1]] = false
-		}
-	}
-}
-
-func TestChirp(t *testing.T) {
-	fb := newFakeBIRD(t, "tailscale")
-	defer fb.Close()
-	go fb.listen()
-	c, err := New(fb.sock)
-	if err != nil {
-		t.Fatal(err)
-	}
-	if err := c.EnableProtocol("tailscale"); err != nil {
-		t.Fatal(err)
-	}
-	if err := c.EnableProtocol("tailscale"); err != nil {
-		t.Fatal(err)
-	}
-	if err := c.DisableProtocol("tailscale"); err != nil {
-		t.Fatal(err)
-	}
-	if err := c.DisableProtocol("tailscale"); err != nil {
-		t.Fatal(err)
-	}
-	if err := c.EnableProtocol("rando"); err == nil {
-		t.Fatalf("enabling %q succeeded", "rando")
-	}
-	if err := c.DisableProtocol("rando"); err == nil {
-		t.Fatalf("disabling %q succeeded", "rando")
-	}
-}
-
-type hangingListener struct {
-	net.Listener
-	t    *testing.T
-	done chan struct{}
-	wg   sync.WaitGroup
-	sock string
-}
-
-func newHangingListener(t *testing.T) *hangingListener {
-	sock := filepath.Join(t.TempDir(), "sock")
-	l, err := net.Listen("unix", sock)
-	if err != nil {
-		t.Fatal(err)
-	}
-	return &hangingListener{
-		Listener: l,
-		t:        t,
-		done:     make(chan struct{}),
-		sock:     sock,
-	}
-}
-
-func (hl *hangingListener) Stop() {
-	hl.Close()
-	close(hl.done)
-	hl.wg.Wait()
-}
-
-func (hl *hangingListener) listen() error {
-	for {
-		c, err := hl.Accept()
-		if err != nil {
-			if errors.Is(err, net.ErrClosed) {
-				return nil
-			}
-			return err
-		}
-		hl.wg.Add(1)
-		go hl.handle(c)
-	}
-}
-
-func (hl *hangingListener) handle(c net.Conn) {
-	defer hl.wg.Done()
-
-	// Write our fake first line of response so that we get into the read loop
-	fmt.Fprintln(c, "0001 BIRD 2.0.8 ready.")
-
-	ticker := time.NewTicker(2 * time.Second)
-	defer ticker.Stop()
-	for {
-		select {
-		case <-ticker.C:
-			hl.t.Logf("connection still hanging")
-		case <-hl.done:
-			return
-		}
-	}
-}
-
-func TestChirpTimeout(t *testing.T) {
-	fb := newHangingListener(t)
-	defer fb.Stop()
-	go fb.listen()
-
-	c, err := newWithTimeout(fb.sock, 500*time.Millisecond)
-	if err != nil {
-		t.Fatal(err)
-	}
-
-	err = c.EnableProtocol("tailscale")
-	if err == nil {
-		t.Fatal("got err=nil, want timeout")
-	}
-	if !os.IsTimeout(err) {
-		t.Fatalf("got err=%v, want os.IsTimeout(err)=true", err)
-	}
-}

client/tailscale/acl.go

@@ -1,476 +0,0 @@
-// Copyright (c) Tailscale Inc & AUTHORS
-// SPDX-License-Identifier: BSD-3-Clause
-
-//go:build go1.19
-
-package tailscale
-
-import (
-	"bytes"
-	"context"
-	"encoding/json"
-	"fmt"
-	"net/http"
-	"net/netip"
-)
-
-// ACLRow defines a rule that grants access by a set of users or groups to a set
-// of servers and ports.
-// Only one of Src/Dst or Users/Ports may be specified.
-type ACLRow struct {
-	Action string   `json:"action,omitempty"` // valid values: "accept"
-	Users  []string `json:"users,omitempty"`  // old name for src
-	Ports  []string `json:"ports,omitempty"`  // old name for dst
-	Src    []string `json:"src,omitempty"`
-	Dst    []string `json:"dst,omitempty"`
-}
-
-// ACLTest defines a test for your ACLs to prevent accidental exposure or
-// revoking of access to key servers and ports. Only one of Src or User may be
-// specified, and only one of Allow/Accept may be specified.
-type ACLTest struct {
-	Src    string   `json:"src,omitempty"`    // source
-	User   string   `json:"user,omitempty"`   // old name for source
-	Accept []string `json:"accept,omitempty"` // expected destination ip:port that user can access
-	Deny   []string `json:"deny,omitempty"`   // expected destination ip:port that user cannot access
-
-	Allow []string `json:"allow,omitempty"` // old name for accept
-}
-
-// ACLDetails contains all the details for an ACL.
-type ACLDetails struct {
-	Tests     []ACLTest           `json:"tests,omitempty"`
-	ACLs      []ACLRow            `json:"acls,omitempty"`
-	Groups    map[string][]string `json:"groups,omitempty"`
-	TagOwners map[string][]string `json:"tagowners,omitempty"`
-	Hosts     map[string]string   `json:"hosts,omitempty"`
-}
-
-// ACL contains an ACLDetails and metadata.
-type ACL struct {
-	ACL  ACLDetails
-	ETag string // to check with version on server
-}
-
-// ACLHuJSON contains the HuJSON string of the ACL and metadata.
-type ACLHuJSON struct {
-	ACL      string
-	Warnings []string
-	ETag     string // to check with version on server
-}
-
-// ACL makes a call to the Tailscale server to get a JSON-parsed version of the ACL.
-// The JSON-parsed version of the ACL contains no comments as proper JSON does not support
-// comments.
-func (c *Client) ACL(ctx context.Context) (acl *ACL, err error) {
-	// Format return errors to be descriptive.
-	defer func() {
-		if err != nil {
-			err = fmt.Errorf("tailscale.ACL: %w", err)
-		}
-	}()
-
-	path := fmt.Sprintf("%s/api/v2/tailnet/%s/acl", c.baseURL(), c.tailnet)
-	req, err := http.NewRequestWithContext(ctx, "GET", path, nil)
-	if err != nil {
-		return nil, err
-	}
-	req.Header.Set("Accept", "application/json")
-	b, resp, err := c.sendRequest(req)
-	if err != nil {
-		return nil, err
-	}
-
-	// If status code was not successful, return the error.
-	// TODO: Change the check for the StatusCode to include other 2XX success codes.
-	if resp.StatusCode != http.StatusOK {
-		return nil, handleErrorResponse(b, resp)
-	}
-
-	// Otherwise, try to decode the response.
-	var aclDetails ACLDetails
-	if err = json.Unmarshal(b, &aclDetails); err != nil {
-		return nil, err
-	}
-	acl = &ACL{
-		ACL:  aclDetails,
-		ETag: resp.Header.Get("ETag"),
-	}
-	return acl, nil
-}
-
-// ACLHuJSON makes a call to the Tailscale server to get the ACL HuJSON and returns
-// it as a string.
-// HuJSON is JSON with a few modifications to make it more human-friendly. The primary
-// changes are allowing comments and trailing comments. See the following links for more info:
-// https://tailscale.com/s/acl-format
-// https://github.com/tailscale/hujson
-func (c *Client) ACLHuJSON(ctx context.Context) (acl *ACLHuJSON, err error) {
-	// Format return errors to be descriptive.
-	defer func() {
-		if err != nil {
-			err = fmt.Errorf("tailscale.ACLHuJSON: %w", err)
-		}
-	}()
-
-	path := fmt.Sprintf("%s/api/v2/tailnet/%s/acl?details=1", c.baseURL(), c.tailnet)
-	req, err := http.NewRequestWithContext(ctx, "GET", path, nil)
-	if err != nil {
-		return nil, err
-	}
-	req.Header.Set("Accept", "application/hujson")
-	b, resp, err := c.sendRequest(req)
-	if err != nil {
-		return nil, err
-	}
-
-	if resp.StatusCode != http.StatusOK {
-		return nil, handleErrorResponse(b, resp)
-	}
-
-	data := struct {
-		ACL      []byte   `json:"acl"`
-		Warnings []string `json:"warnings"`
-	}{}
-	if err := json.Unmarshal(b, &data); err != nil {
-		return nil, err
-	}
-
-	acl = &ACLHuJSON{
-		ACL:      string(data.ACL),
-		Warnings: data.Warnings,
-		ETag:     resp.Header.Get("ETag"),
-	}
-	return acl, nil
-}
-
-// ACLTestFailureSummary specifies a user for which ACL tests
-// failed and the related user-friendly error messages.
-//
-// ACLTestFailureSummary specifies the JSON format sent to the
-// JavaScript client to be rendered in the HTML.
-type ACLTestFailureSummary struct {
-	User     string   `json:"user,omitempty"`
-	Errors   []string `json:"errors,omitempty"`
-	Warnings []string `json:"warnings,omitempty"`
-}
-
-// ACLTestError is ErrResponse but with an extra field to account for ACLTestFailureSummary.
-type ACLTestError struct {
-	ErrResponse
-	Data []ACLTestFailureSummary `json:"data"`
-}
-
-func (e ACLTestError) Error() string {
-	return fmt.Sprintf("%s, Data: %+v", e.ErrResponse.Error(), e.Data)
-}
-
-func (c *Client) aclPOSTRequest(ctx context.Context, body []byte, avoidCollisions bool, etag, acceptHeader string) ([]byte, string, error) {
-	path := fmt.Sprintf("%s/api/v2/tailnet/%s/acl", c.baseURL(), c.tailnet)
-	req, err := http.NewRequestWithContext(ctx, "POST", path, bytes.NewBuffer(body))
-	if err != nil {
-		return nil, "", err
-	}
-
-	if avoidCollisions {
-		req.Header.Set("If-Match", etag)
-	}
-	req.Header.Set("Accept", acceptHeader)
-	req.Header.Set("Content-Type", "application/hujson")
-	b, resp, err := c.sendRequest(req)
-	if err != nil {
-		return nil, "", err
-	}
-
-	// If status code was not successful, return the error.
-	// TODO: Change the check for the StatusCode to include other 2XX success codes.
-	if resp.StatusCode != http.StatusOK {
-		// check if test error
-		var ate ACLTestError
-		if err := json.Unmarshal(b, &ate); err != nil {
-			return nil, "", err
-		}
-		ate.Status = resp.StatusCode
-		return nil, "", ate
-	}
-	return b, resp.Header.Get("ETag"), nil
-}
-
-// SetACL sends a POST request to update the ACL according to the provided ACL object. If
-// `avoidCollisions` is true, it will use the ETag obtained in the GET request in an If-Match
-// header to check if the previously obtained ACL was the latest version and that no updates
-// were missed.
-//
-// Returns error with status code 412 if mistmached ETag and avoidCollisions is set to true.
-// Returns error if ACL has tests that fail.
-// Returns error if there are other errors with the ACL.
-func (c *Client) SetACL(ctx context.Context, acl ACL, avoidCollisions bool) (res *ACL, err error) {
-	// Format return errors to be descriptive.
-	defer func() {
-		if err != nil {
-			err = fmt.Errorf("tailscale.SetACL: %w", err)
-		}
-	}()
-	postData, err := json.Marshal(acl.ACL)
-	if err != nil {
-		return nil, err
-	}
-	b, etag, err := c.aclPOSTRequest(ctx, postData, avoidCollisions, acl.ETag, "application/json")
-	if err != nil {
-		return nil, err
-	}
-
-	// Otherwise, try to decode the response.
-	var aclDetails ACLDetails
-	if err = json.Unmarshal(b, &aclDetails); err != nil {
-		return nil, err
-	}
-	res = &ACL{
-		ACL:  aclDetails,
-		ETag: etag,
-	}
-	return res, nil
-}
-
-// SetACLHuJSON sends a POST request to update the ACL according to the provided ACL object. If
-// `avoidCollisions` is true, it will use the ETag obtained in the GET request in an If-Match
-// header to check if the previously obtained ACL was the latest version and that no updates
-// were missed.
-//
-// Returns error with status code 412 if mistmached ETag and avoidCollisions is set to true.
-// Returns error if the HuJSON is invalid.
-// Returns error if ACL has tests that fail.
-// Returns error if there are other errors with the ACL.
-func (c *Client) SetACLHuJSON(ctx context.Context, acl ACLHuJSON, avoidCollisions bool) (res *ACLHuJSON, err error) {
-	// Format return errors to be descriptive.
-	defer func() {
-		if err != nil {
-			err = fmt.Errorf("tailscale.SetACLHuJSON: %w", err)
-		}
-	}()
-
-	postData := []byte(acl.ACL)
-	b, etag, err := c.aclPOSTRequest(ctx, postData, avoidCollisions, acl.ETag, "application/hujson")
-	if err != nil {
-		return nil, err
-	}
-
-	res = &ACLHuJSON{
-		ACL:  string(b),
-		ETag: etag,
-	}
-	return res, nil
-}
-
-// UserRuleMatch specifies the source users/groups/hosts that a rule targets
-// and the destination ports that they can access.
-// LineNumber is only useful for requests provided in HuJSON form.
-// While JSON requests will have LineNumber, the value is not useful.
-type UserRuleMatch struct {
-	Users      []string `json:"users"`
-	Ports      []string `json:"ports"`
-	LineNumber int      `json:"lineNumber"`
-}
-
-// ACLPreviewResponse is the response type of previewACLPostRequest
-type ACLPreviewResponse struct {
-	Matches    []UserRuleMatch `json:"matches"`    // ACL rules that match the specified user or ipport.
-	Type       string          `json:"type"`       // The request type: currently only "user" or "ipport".
-	PreviewFor string          `json:"previewFor"` // A specific user or ipport.
-}
-
-// ACLPreview is the response type of PreviewACLForUser, PreviewACLForIPPort, PreviewACLHuJSONForUser, and PreviewACLHuJSONForIPPort
-type ACLPreview struct {
-	Matches []UserRuleMatch `json:"matches"`
-	User    string          `json:"user,omitempty"`   // Filled if response of PreviewACLForUser or PreviewACLHuJSONForUser
-	IPPort  string          `json:"ipport,omitempty"` // Filled if response of PreviewACLForIPPort or PreviewACLHuJSONForIPPort
-}
-
-func (c *Client) previewACLPostRequest(ctx context.Context, body []byte, previewType string, previewFor string) (res *ACLPreviewResponse, err error) {
-	path := fmt.Sprintf("%s/api/v2/tailnet/%s/acl/preview", c.baseURL(), c.tailnet)
-	req, err := http.NewRequestWithContext(ctx, "POST", path, bytes.NewBuffer(body))
-	if err != nil {
-		return nil, err
-	}
-
-	q := req.URL.Query()
-	q.Add("type", previewType)
-	q.Add("previewFor", previewFor)
-	req.URL.RawQuery = q.Encode()
-
-	req.Header.Set("Content-Type", "application/hujson")
-	c.setAuth(req)
-
-	b, resp, err := c.sendRequest(req)
-	if err != nil {
-		return nil, err
-	}
-
-	// If status code was not successful, return the error.
-	// TODO: Change the check for the StatusCode to include other 2XX success codes.
-	if resp.StatusCode != http.StatusOK {
-		return nil, handleErrorResponse(b, resp)
-	}
-	if err = json.Unmarshal(b, &res); err != nil {
-		return nil, err
-	}
-
-	return res, nil
-}
-
-// PreviewACLForUser determines what rules match a given ACL for a user.
-// The ACL can be a locally modified or clean ACL obtained from server.
-//
-// Returns ACLPreview on success with matches in a slice. If there are no matches,
-// the call is still successful but Matches will be an empty slice.
-// Returns error if the provided ACL is invalid.
-func (c *Client) PreviewACLForUser(ctx context.Context, acl ACL, user string) (res *ACLPreview, err error) {
-	// Format return errors to be descriptive.
-	defer func() {
-		if err != nil {
-			err = fmt.Errorf("tailscale.PreviewACLForUser: %w", err)
-		}
-	}()
-	postData, err := json.Marshal(acl.ACL)
-	if err != nil {
-		return nil, err
-	}
-	b, err := c.previewACLPostRequest(ctx, postData, "user", user)
-	if err != nil {
-		return nil, err
-	}
-
-	return &ACLPreview{
-		Matches: b.Matches,
-		User:    b.PreviewFor,
-	}, nil
-}
-
-// PreviewACLForIPPort determines what rules match a given ACL for a ipport.
-// The ACL can be a locally modified or clean ACL obtained from server.
-//
-// Returns ACLPreview on success with matches in a slice. If there are no matches,
-// the call is still successful but Matches will be an empty slice.
-// Returns error if the provided ACL is invalid.
-func (c *Client) PreviewACLForIPPort(ctx context.Context, acl ACL, ipport netip.AddrPort) (res *ACLPreview, err error) {
-	// Format return errors to be descriptive.
-	defer func() {
-		if err != nil {
-			err = fmt.Errorf("tailscale.PreviewACLForIPPort: %w", err)
-		}
-	}()
-	postData, err := json.Marshal(acl.ACL)
-	if err != nil {
-		return nil, err
-	}
-	b, err := c.previewACLPostRequest(ctx, postData, "ipport", ipport.String())
-	if err != nil {
-		return nil, err
-	}
-
-	return &ACLPreview{
-		Matches: b.Matches,
-		IPPort:  b.PreviewFor,
-	}, nil
-}
-
-// PreviewACLHuJSONForUser determines what rules match a given ACL for a user.
-// The ACL can be a locally modified or clean ACL obtained from server.
-//
-// Returns ACLPreview on success with matches in a slice. If there are no matches,
-// the call is still successful but Matches will be an empty slice.
-// Returns error if the provided ACL is invalid.
-func (c *Client) PreviewACLHuJSONForUser(ctx context.Context, acl ACLHuJSON, user string) (res *ACLPreview, err error) {
-	// Format return errors to be descriptive.
-	defer func() {
-		if err != nil {
-			err = fmt.Errorf("tailscale.PreviewACLHuJSONForUser: %w", err)
-		}
-	}()
-	postData := []byte(acl.ACL)
-	b, err := c.previewACLPostRequest(ctx, postData, "user", user)
-	if err != nil {
-		return nil, err
-	}
-
-	return &ACLPreview{
-		Matches: b.Matches,
-		User:    b.PreviewFor,
-	}, nil
-}
-
-// PreviewACLHuJSONForIPPort determines what rules match a given ACL for a ipport.
-// The ACL can be a locally modified or clean ACL obtained from server.
-//
-// Returns ACLPreview on success with matches in a slice. If there are no matches,
-// the call is still successful but Matches will be an empty slice.
-// Returns error if the provided ACL is invalid.
-func (c *Client) PreviewACLHuJSONForIPPort(ctx context.Context, acl ACLHuJSON, ipport string) (res *ACLPreview, err error) {
-	// Format return errors to be descriptive.
-	defer func() {
-		if err != nil {
-			err = fmt.Errorf("tailscale.PreviewACLHuJSONForIPPort: %w", err)
-		}
-	}()
-	postData := []byte(acl.ACL)
-	b, err := c.previewACLPostRequest(ctx, postData, "ipport", ipport)
-	if err != nil {
-		return nil, err
-	}
-
-	return &ACLPreview{
-		Matches: b.Matches,
-		IPPort:  b.PreviewFor,
-	}, nil
-}
-
-// ValidateACLJSON takes in the given source and destination (in this situation,
-// it is assumed that you are checking whether the source can connect to destination)
-// and creates an ACLTest from that. It then sends the ACLTest to the control api acl
-// validate endpoint, where the test is run. It returns a nil ACLTestError pointer if
-// no test errors occur.
-func (c *Client) ValidateACLJSON(ctx context.Context, source, dest string) (testErr *ACLTestError, err error) {
-	// Format return errors to be descriptive.
-	defer func() {
-		if err != nil {
-			err = fmt.Errorf("tailscale.ValidateACLJSON: %w", err)
-		}
-	}()
-
-	tests := []ACLTest{{User: source, Allow: []string{dest}}}
-	postData, err := json.Marshal(tests)
-	if err != nil {
-		return nil, err
-	}
-
-	path := fmt.Sprintf("%s/api/v2/tailnet/%s/acl/validate", c.baseURL(), c.tailnet)
-	req, err := http.NewRequestWithContext(ctx, "POST", path, bytes.NewBuffer(postData))
-	if err != nil {
-		return nil, err
-	}
-
-	req.Header.Set("Content-Type", "application/json")
-	c.setAuth(req)
-
-	b, resp, err := c.sendRequest(req)
-	if err != nil {
-		return nil, err
-	}
-
-	if resp.StatusCode != http.StatusOK {
-		return nil, fmt.Errorf("control api responded with %d status code", resp.StatusCode)
-	}
-
-	// The test ran without fail
-	if len(b) == 0 {
-		return nil, nil
-	}
-
-	var res ACLTestError
-	// The test returned errors.
-	if err = json.Unmarshal(b, &res); err != nil {
-		// failed to unmarshal
-		return nil, err
-	}
-	return &res, nil
-}

client/tailscale/apitype/apitype.go

@@ -1,42 +0,0 @@
-// Copyright (c) Tailscale Inc & AUTHORS
-// SPDX-License-Identifier: BSD-3-Clause
-
-// Package apitype contains types for the Tailscale LocalAPI and control plane API.
-package apitype
-
-import "tailscale.com/tailcfg"
-
-// LocalAPIHost is the Host header value used by the LocalAPI.
-const LocalAPIHost = "local-tailscaled.sock"
-
-// WhoIsResponse is the JSON type returned by tailscaled debug server's /whois?ip=$IP handler.
-// In successful whois responses, Node and UserProfile are never nil.
-type WhoIsResponse struct {
-	Node        *tailcfg.Node
-	UserProfile *tailcfg.UserProfile
-
-	// CapMap is a map of capabilities to their values.
-	// See tailcfg.PeerCapMap and tailcfg.PeerCapability for details.
-	CapMap tailcfg.PeerCapMap
-}
-
-// FileTarget is a node to which files can be sent, and the PeerAPI
-// URL base to do so via.
-type FileTarget struct {
-	Node *tailcfg.Node
-
-	// PeerAPI is the http://ip:port URL base of the node's PeerAPI,
-	// without any path (not even a single slash).
-	PeerAPIURL string
-}
-
-type WaitingFile struct {
-	Name string
-	Size int64
-}
-
-// SetPushDeviceTokenRequest is the body POSTed to the LocalAPI endpoint /set-device-token.
-type SetPushDeviceTokenRequest struct {
-	// PushDeviceToken is the iOS/macOS APNs device token (and any future Android equivalent).
-	PushDeviceToken string
-}

client/tailscale/apitype/controltype.go

@@ -1,19 +0,0 @@
-// Copyright (c) Tailscale Inc & AUTHORS
-// SPDX-License-Identifier: BSD-3-Clause
-
-package apitype
-
-type DNSConfig struct {
-	Resolvers          []DNSResolver            `json:"resolvers"`
-	FallbackResolvers  []DNSResolver            `json:"fallbackResolvers"`
-	Routes             map[string][]DNSResolver `json:"routes"`
-	Domains            []string                 `json:"domains"`
-	Nameservers        []string                 `json:"nameservers"`
-	Proxied            bool                     `json:"proxied"`
-	TempCorpIssue13969 string                   `json:"TempCorpIssue13969,omitempty"`
-}
-
-type DNSResolver struct {
-	Addr                string   `json:"addr"`
-	BootstrapResolution []string `json:"bootstrapResolution,omitempty"`
-}

client/tailscale/devices.go

@@ -1,272 +0,0 @@
-// Copyright (c) Tailscale Inc & AUTHORS
-// SPDX-License-Identifier: BSD-3-Clause
-
-//go:build go1.19
-
-package tailscale
-
-import (
-	"bytes"
-	"context"
-	"encoding/json"
-	"fmt"
-	"net/http"
-	"net/url"
-
-	"tailscale.com/types/opt"
-)
-
-type GetDevicesResponse struct {
-	Devices []*Device `json:"devices"`
-}
-
-type DerpRegion struct {
-	Preferred           bool    `json:"preferred,omitempty"`
-	LatencyMilliseconds float64 `json:"latencyMs"`
-}
-
-type ClientConnectivity struct {
-	Endpoints             []string `json:"endpoints"`
-	DERP                  string   `json:"derp"`
-	MappingVariesByDestIP opt.Bool `json:"mappingVariesByDestIP"`
-	// DERPLatency is mapped by region name (e.g. "New York City", "Seattle").
-	DERPLatency    map[string]DerpRegion `json:"latency"`
-	ClientSupports map[string]opt.Bool   `json:"clientSupports"`
-}
-
-type Device struct {
-	// Addresses is a list of the devices's Tailscale IP addresses.
-	// It's currently just 1 element, the 100.x.y.z Tailscale IP.
-	Addresses []string `json:"addresses"`
-	DeviceID  string   `json:"id"`
-	User      string   `json:"user"`
-	Name      string   `json:"name"`
-	Hostname  string   `json:"hostname"`
-
-	ClientVersion     string   `json:"clientVersion"`   // Empty for external devices.
-	UpdateAvailable   bool     `json:"updateAvailable"` // Empty for external devices.
-	OS                string   `json:"os"`
-	Tags              []string `json:"tags"`
-	Created           string   `json:"created"` // Empty for external devices.
-	LastSeen          string   `json:"lastSeen"`
-	KeyExpiryDisabled bool     `json:"keyExpiryDisabled"`
-	Expires           string   `json:"expires"`
-	Authorized        bool     `json:"authorized"`
-	IsExternal        bool     `json:"isExternal"`
-	MachineKey        string   `json:"machineKey"` // Empty for external devices.
-	NodeKey           string   `json:"nodeKey"`
-
-	// BlocksIncomingConnections is configured via the device's
-	// Tailscale client preferences. This field is only reported
-	// to the API starting with Tailscale 1.3.x clients.
-	BlocksIncomingConnections bool `json:"blocksIncomingConnections"`
-
-	// The following fields are not included by default:
-
-	// EnabledRoutes are the previously-approved subnet routes
-	// (e.g. "192.168.4.16/24", "10.5.2.4/32").
-	EnabledRoutes []string `json:"enabledRoutes"` // Empty for external devices.
-	// AdvertisedRoutes are the subnets (both enabled and not enabled)
-	// being requested from the node.
-	AdvertisedRoutes []string `json:"advertisedRoutes"` // Empty for external devices.
-
-	ClientConnectivity *ClientConnectivity `json:"clientConnectivity"`
-}
-
-// DeviceFieldsOpts determines which fields should be returned in the response.
-//
-// Please only use DeviceAllFields and DeviceDefaultFields.
-// Other DeviceFieldsOpts are not supported.
-//
-// TODO: Support other DeviceFieldsOpts.
-// In the future, users should be able to create their own DeviceFieldsOpts
-// as valid arguments by setting the fields they want returned to a "non-nil"
-// value. For example, DeviceFieldsOpts{NodeID: "true"} should only return NodeIDs.
-type DeviceFieldsOpts Device
-
-func (d *DeviceFieldsOpts) addFieldsToQueryParameter() string {
-	if d == DeviceDefaultFields || d == nil {
-		return "default"
-	}
-	if d == DeviceAllFields {
-		return "all"
-	}
-
-	return ""
-}
-
-var (
-	DeviceAllFields = &DeviceFieldsOpts{}
-
-	// DeviceDefaultFields specifies that the following fields are returned:
-	//   Addresses, NodeID, User, Name, Hostname, ClientVersion, UpdateAvailable,
-	//   OS, Created, LastSeen, KeyExpiryDisabled, Expires, Authorized, IsExternal
-	//   MachineKey, NodeKey, BlocksIncomingConnections.
-	DeviceDefaultFields = &DeviceFieldsOpts{}
-)
-
-// Devices retrieves the list of devices for a tailnet.
-//
-// See the Device structure for the list of fields hidden for external devices.
-// The optional fields parameter specifies which fields of the devices to return; currently
-// only DeviceDefaultFields (equivalent to nil) and DeviceAllFields are supported.
-// Other values are currently undefined.
-func (c *Client) Devices(ctx context.Context, fields *DeviceFieldsOpts) (deviceList []*Device, err error) {
-	defer func() {
-		if err != nil {
-			err = fmt.Errorf("tailscale.Devices: %w", err)
-		}
-	}()
-
-	path := fmt.Sprintf("%s/api/v2/tailnet/%s/devices", c.baseURL(), c.tailnet)
-	req, err := http.NewRequestWithContext(ctx, "GET", path, nil)
-	if err != nil {
-		return nil, err
-	}
-	// Add fields.
-	fieldStr := fields.addFieldsToQueryParameter()
-	q := req.URL.Query()
-	q.Add("fields", fieldStr)
-	req.URL.RawQuery = q.Encode()
-
-	b, resp, err := c.sendRequest(req)
-	if err != nil {
-		return nil, err
-	}
-	// If status code was not successful, return the error.
-	// TODO: Change the check for the StatusCode to include other 2XX success codes.
-	if resp.StatusCode != http.StatusOK {
-		return nil, handleErrorResponse(b, resp)
-	}
-
-	var devices GetDevicesResponse
-	err = json.Unmarshal(b, &devices)
-	return devices.Devices, err
-}
-
-// Device retrieved the details for a specific device.
-//
-// See the Device structure for the list of fields hidden for an external device.
-// The optional fields parameter specifies which fields of the devices to return; currently
-// only DeviceDefaultFields (equivalent to nil) and DeviceAllFields are supported.
-// Other values are currently undefined.
-func (c *Client) Device(ctx context.Context, deviceID string, fields *DeviceFieldsOpts) (device *Device, err error) {
-	defer func() {
-		if err != nil {
-			err = fmt.Errorf("tailscale.Device: %w", err)
-		}
-	}()
-	path := fmt.Sprintf("%s/api/v2/device/%s", c.baseURL(), deviceID)
-	req, err := http.NewRequestWithContext(ctx, "GET", path, nil)
-	if err != nil {
-		return nil, err
-	}
-
-	// Add fields.
-	fieldStr := fields.addFieldsToQueryParameter()
-	q := req.URL.Query()
-	q.Add("fields", fieldStr)
-	req.URL.RawQuery = q.Encode()
-
-	b, resp, err := c.sendRequest(req)
-	if err != nil {
-		return nil, err
-	}
-	// If status code was not successful, return the error.
-	// TODO: Change the check for the StatusCode to include other 2XX success codes.
-	if resp.StatusCode != http.StatusOK {
-		return nil, handleErrorResponse(b, resp)
-	}
-
-	err = json.Unmarshal(b, &device)
-	return device, err
-}
-
-// DeleteDevice deletes the specified device from the Client's tailnet.
-// NOTE: Only devices that belong to the Client's tailnet can be deleted.
-// Deleting external devices is not supported.
-func (c *Client) DeleteDevice(ctx context.Context, deviceID string) (err error) {
-	defer func() {
-		if err != nil {
-			err = fmt.Errorf("tailscale.DeleteDevice: %w", err)
-		}
-	}()
-
-	path := fmt.Sprintf("%s/api/v2/device/%s", c.baseURL(), url.PathEscape(deviceID))
-	req, err := http.NewRequestWithContext(ctx, "DELETE", path, nil)
-	if err != nil {
-		return err
-	}
-
-	b, resp, err := c.sendRequest(req)
-	if err != nil {
-		return err
-	}
-	// If status code was not successful, return the error.
-	// TODO: Change the check for the StatusCode to include other 2XX success codes.
-	if resp.StatusCode != http.StatusOK {
-		return handleErrorResponse(b, resp)
-	}
-	return nil
-}
-
-// AuthorizeDevice marks a device as authorized.
-func (c *Client) AuthorizeDevice(ctx context.Context, deviceID string) error {
-	return c.SetAuthorized(ctx, deviceID, true)
-}
-
-// SetAuthorized marks a device as authorized or not.
-func (c *Client) SetAuthorized(ctx context.Context, deviceID string, authorized bool) error {
-	params := &struct {
-		Authorized bool `json:"authorized"`
-	}{Authorized: authorized}
-	data, err := json.Marshal(params)
-	if err != nil {
-		return err
-	}
-	path := fmt.Sprintf("%s/api/v2/device/%s/authorized", c.baseURL(), url.PathEscape(deviceID))
-	req, err := http.NewRequestWithContext(ctx, "POST", path, bytes.NewBuffer(data))
-	if err != nil {
-		return err
-	}
-
-	b, resp, err := c.sendRequest(req)
-	if err != nil {
-		return err
-	}
-	// If status code was not successful, return the error.
-	// TODO: Change the check for the StatusCode to include other 2XX success codes.
-	if resp.StatusCode != http.StatusOK {
-		return handleErrorResponse(b, resp)
-	}
-
-	return nil
-}
-
-// SetTags updates the ACL tags on a device.
-func (c *Client) SetTags(ctx context.Context, deviceID string, tags []string) error {
-	params := &struct {
-		Tags []string `json:"tags"`
-	}{Tags: tags}
-	data, err := json.Marshal(params)
-	if err != nil {
-		return err
-	}
-	path := fmt.Sprintf("%s/api/v2/device/%s/tags", c.baseURL(), url.PathEscape(deviceID))
-	req, err := http.NewRequestWithContext(ctx, "POST", path, bytes.NewBuffer(data))
-	if err != nil {
-		return err
-	}
-
-	b, resp, err := c.sendRequest(req)
-	if err != nil {
-		return err
-	}
-	// If status code was not successful, return the error.
-	// TODO: Change the check for the StatusCode to include other 2XX success codes.
-	if resp.StatusCode != http.StatusOK {
-		return handleErrorResponse(b, resp)
-	}
-
-	return nil
-}

client/tailscale/dns.go

@@ -1,233 +0,0 @@
-// Copyright (c) Tailscale Inc & AUTHORS
-// SPDX-License-Identifier: BSD-3-Clause
-
-//go:build go1.19
-
-package tailscale
-
-import (
-	"bytes"
-	"context"
-	"encoding/json"
-	"fmt"
-	"net/http"
-
-	"tailscale.com/client/tailscale/apitype"
-)
-
-// DNSNameServers is returned when retrieving the list of nameservers.
-// It is also the structure provided when setting nameservers.
-type DNSNameServers struct {
-	DNS []string `json:"dns"` // DNS name servers
-}
-
-// DNSNameServersPostResponse is returned when setting the list of DNS nameservers.
-//
-// It includes the MagicDNS status since nameservers changes may affect MagicDNS.
-type DNSNameServersPostResponse struct {
-	DNS      []string `json:"dns"`      // DNS name servers
-	MagicDNS bool     `json:"magicDNS"` // whether MagicDNS is active for this tailnet (enabled + has fallback nameservers)
-}
-
-// DNSSearchpaths is the list of search paths for a given domain.
-type DNSSearchPaths struct {
-	SearchPaths []string `json:"searchPaths"` // DNS search paths
-}
-
-// DNSPreferences is the preferences set for a given tailnet.
-//
-// It includes MagicDNS which can be turned on or off. To enable MagicDNS,
-// there must be at least one nameserver. When all nameservers are removed,
-// MagicDNS is disabled.
-type DNSPreferences struct {
-	MagicDNS bool `json:"magicDNS"` // whether MagicDNS is active for this tailnet (enabled + has fallback nameservers)
-}
-
-func (c *Client) dnsGETRequest(ctx context.Context, endpoint string) ([]byte, error) {
-	path := fmt.Sprintf("%s/api/v2/tailnet/%s/dns/%s", c.baseURL(), c.tailnet, endpoint)
-	req, err := http.NewRequestWithContext(ctx, "GET", path, nil)
-	if err != nil {
-		return nil, err
-	}
-	b, resp, err := c.sendRequest(req)
-	if err != nil {
-		return nil, err
-	}
-
-	// If status code was not successful, return the error.
-	// TODO: Change the check for the StatusCode to include other 2XX success codes.
-	if resp.StatusCode != http.StatusOK {
-		return nil, handleErrorResponse(b, resp)
-	}
-
-	return b, nil
-}
-
-func (c *Client) dnsPOSTRequest(ctx context.Context, endpoint string, postData any) ([]byte, error) {
-	path := fmt.Sprintf("%s/api/v2/tailnet/%s/dns/%s", c.baseURL(), c.tailnet, endpoint)
-	data, err := json.Marshal(&postData)
-	if err != nil {
-		return nil, err
-	}
-
-	req, err := http.NewRequestWithContext(ctx, "POST", path, bytes.NewBuffer(data))
-	req.Header.Set("Content-Type", "application/json")
-	if err != nil {
-		return nil, err
-	}
-
-	b, resp, err := c.sendRequest(req)
-	if err != nil {
-		return nil, err
-	}
-
-	// If status code was not successful, return the error.
-	// TODO: Change the check for the StatusCode to include other 2XX success codes.
-	if resp.StatusCode != http.StatusOK {
-		return nil, handleErrorResponse(b, resp)
-	}
-
-	return b, nil
-}
-
-// DNSConfig retrieves the DNSConfig settings for a domain.
-func (c *Client) DNSConfig(ctx context.Context) (cfg *apitype.DNSConfig, err error) {
-	// Format return errors to be descriptive.
-	defer func() {
-		if err != nil {
-			err = fmt.Errorf("tailscale.DNSConfig: %w", err)
-		}
-	}()
-	b, err := c.dnsGETRequest(ctx, "config")
-	if err != nil {
-		return nil, err
-	}
-	var dnsResp apitype.DNSConfig
-	err = json.Unmarshal(b, &dnsResp)
-	return &dnsResp, err
-}
-
-func (c *Client) SetDNSConfig(ctx context.Context, cfg apitype.DNSConfig) (resp *apitype.DNSConfig, err error) {
-	// Format return errors to be descriptive.
-	defer func() {
-		if err != nil {
-			err = fmt.Errorf("tailscale.SetDNSConfig: %w", err)
-		}
-	}()
-	var dnsResp apitype.DNSConfig
-	b, err := c.dnsPOSTRequest(ctx, "config", cfg)
-	if err != nil {
-		return nil, err
-	}
-	err = json.Unmarshal(b, &dnsResp)
-	return &dnsResp, err
-}
-
-// NameServers retrieves the list of nameservers set for a domain.
-func (c *Client) NameServers(ctx context.Context) (nameservers []string, err error) {
-	// Format return errors to be descriptive.
-	defer func() {
-		if err != nil {
-			err = fmt.Errorf("tailscale.NameServers: %w", err)
-		}
-	}()
-	b, err := c.dnsGETRequest(ctx, "nameservers")
-	if err != nil {
-		return nil, err
-	}
-	var dnsResp DNSNameServers
-	err = json.Unmarshal(b, &dnsResp)
-	return dnsResp.DNS, err
-}
-
-// SetNameServers sets the list of nameservers for a tailnet to the list provided
-// by the user.
-//
-// It returns the new list of nameservers and the MagicDNS status in case it was
-// affected by the change. For example, removing all nameservers will turn off
-// MagicDNS.
-func (c *Client) SetNameServers(ctx context.Context, nameservers []string) (dnsResp *DNSNameServersPostResponse, err error) {
-	defer func() {
-		if err != nil {
-			err = fmt.Errorf("tailscale.SetNameServers: %w", err)
-		}
-	}()
-	dnsReq := DNSNameServers{DNS: nameservers}
-	b, err := c.dnsPOSTRequest(ctx, "nameservers", dnsReq)
-	if err != nil {
-		return nil, err
-	}
-	err = json.Unmarshal(b, &dnsResp)
-	return dnsResp, err
-}
-
-// DNSPreferences retrieves the DNS preferences set for a tailnet.
-//
-// It returns the status of MagicDNS.
-func (c *Client) DNSPreferences(ctx context.Context) (dnsResp *DNSPreferences, err error) {
-	// Format return errors to be descriptive.
-	defer func() {
-		if err != nil {
-			err = fmt.Errorf("tailscale.DNSPreferences: %w", err)
-		}
-	}()
-	b, err := c.dnsGETRequest(ctx, "preferences")
-	if err != nil {
-		return nil, err
-	}
-	err = json.Unmarshal(b, &dnsResp)
-	return dnsResp, err
-}
-
-// SetDNSPreferences sets the DNS preferences for a tailnet.
-//
-// MagicDNS can only be enabled when there is at least one nameserver provided.
-// When all nameservers are removed, MagicDNS is disabled and will stay disabled,
-// unless explicitly enabled by a user again.
-func (c *Client) SetDNSPreferences(ctx context.Context, magicDNS bool) (dnsResp *DNSPreferences, err error) {
-	defer func() {
-		if err != nil {
-			err = fmt.Errorf("tailscale.SetDNSPreferences: %w", err)
-		}
-	}()
-	dnsReq := DNSPreferences{MagicDNS: magicDNS}
-	b, err := c.dnsPOSTRequest(ctx, "preferences", dnsReq)
-	if err != nil {
-		return
-	}
-	err = json.Unmarshal(b, &dnsResp)
-	return dnsResp, err
-}
-
-// SearchPaths retrieves the list of searchpaths set for a tailnet.
-func (c *Client) SearchPaths(ctx context.Context) (searchpaths []string, err error) {
-	defer func() {
-		if err != nil {
-			err = fmt.Errorf("tailscale.SearchPaths: %w", err)
-		}
-	}()
-	b, err := c.dnsGETRequest(ctx, "searchpaths")
-	if err != nil {
-		return nil, err
-	}
-	var dnsResp *DNSSearchPaths
-	err = json.Unmarshal(b, &dnsResp)
-	return dnsResp.SearchPaths, err
-}
-
-// SetSearchPaths sets the list of searchpaths for a tailnet.
-func (c *Client) SetSearchPaths(ctx context.Context, searchpaths []string) (newSearchPaths []string, err error) {
-	defer func() {
-		if err != nil {
-			err = fmt.Errorf("tailscale.SetSearchPaths: %w", err)
-		}
-	}()
-	dnsReq := DNSSearchPaths{SearchPaths: searchpaths}
-	b, err := c.dnsPOSTRequest(ctx, "searchpaths", dnsReq)
-	if err != nil {
-		return nil, err
-	}
-	var dnsResp DNSSearchPaths
-	err = json.Unmarshal(b, &dnsResp)
-	return dnsResp.SearchPaths, err
-}

client/tailscale/example/servetls/servetls.go

@@ -1,28 +0,0 @@
-// Copyright (c) Tailscale Inc & AUTHORS
-// SPDX-License-Identifier: BSD-3-Clause
-
-// The servetls program shows how to run an HTTPS server
-// using a Tailscale cert via LetsEncrypt.
-package main
-
-import (
-	"crypto/tls"
-	"io"
-	"log"
-	"net/http"
-
-	"tailscale.com/client/tailscale"
-)
-
-func main() {
-	s := &http.Server{
-		TLSConfig: &tls.Config{
-			GetCertificate: tailscale.GetCertificate,
-		},
-		Handler: http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-			io.WriteString(w, "<h1>Hello from Tailscale!</h1> It works.")
-		}),
-	}
-	log.Printf("Running TLS server on :443 ...")
-	log.Fatal(s.ListenAndServeTLS("", ""))
-}

client/tailscale/keys.go

@@ -1,166 +0,0 @@
-// Copyright (c) Tailscale Inc & AUTHORS
-// SPDX-License-Identifier: BSD-3-Clause
-
-package tailscale
-
-import (
-	"bytes"
-	"context"
-	"encoding/json"
-	"fmt"
-	"net/http"
-	"time"
-)
-
-// Key represents a Tailscale API or auth key.
-type Key struct {
-	ID           string          `json:"id"`
-	Created      time.Time       `json:"created"`
-	Expires      time.Time       `json:"expires"`
-	Capabilities KeyCapabilities `json:"capabilities"`
-}
-
-// KeyCapabilities are the capabilities of a Key.
-type KeyCapabilities struct {
-	Devices KeyDeviceCapabilities `json:"devices,omitempty"`
-}
-
-// KeyDeviceCapabilities are the device-related capabilities of a Key.
-type KeyDeviceCapabilities struct {
-	Create KeyDeviceCreateCapabilities `json:"create"`
-}
-
-// KeyDeviceCreateCapabilities are the device creation capabilities of a Key.
-type KeyDeviceCreateCapabilities struct {
-	Reusable      bool     `json:"reusable"`
-	Ephemeral     bool     `json:"ephemeral"`
-	Preauthorized bool     `json:"preauthorized"`
-	Tags          []string `json:"tags,omitempty"`
-}
-
-// Keys returns the list of keys for the current user.
-func (c *Client) Keys(ctx context.Context) ([]string, error) {
-	path := fmt.Sprintf("%s/api/v2/tailnet/%s/keys", c.baseURL(), c.tailnet)
-	req, err := http.NewRequestWithContext(ctx, "GET", path, nil)
-	if err != nil {
-		return nil, err
-	}
-
-	b, resp, err := c.sendRequest(req)
-	if err != nil {
-		return nil, err
-	}
-	if resp.StatusCode != http.StatusOK {
-		return nil, handleErrorResponse(b, resp)
-	}
-
-	var keys struct {
-		Keys []*Key `json:"keys"`
-	}
-	if err := json.Unmarshal(b, &keys); err != nil {
-		return nil, err
-	}
-	ret := make([]string, 0, len(keys.Keys))
-	for _, k := range keys.Keys {
-		ret = append(ret, k.ID)
-	}
-	return ret, nil
-}
-
-// CreateKey creates a new key for the current user. Currently, only auth keys
-// can be created. It returns the secret key itself, which cannot be retrieved again
-// later, and the key metadata.
-//
-// To create a key with a specific expiry, use CreateKeyWithExpiry.
-func (c *Client) CreateKey(ctx context.Context, caps KeyCapabilities) (keySecret string, keyMeta *Key, _ error) {
-	return c.CreateKeyWithExpiry(ctx, caps, 0)
-}
-
-// CreateKeyWithExpiry is like CreateKey, but allows specifying a expiration time.
-//
-// The time is truncated to a whole number of seconds. If zero, that means no expiration.
-func (c *Client) CreateKeyWithExpiry(ctx context.Context, caps KeyCapabilities, expiry time.Duration) (keySecret string, keyMeta *Key, _ error) {
-
-	// convert expirySeconds to an int64 (seconds)
-	expirySeconds := int64(expiry.Seconds())
-	if expirySeconds < 0 {
-		return "", nil, fmt.Errorf("expiry must be positive")
-	}
-	if expirySeconds == 0 && expiry != 0 {
-		return "", nil, fmt.Errorf("non-zero expiry must be at least one second")
-	}
-
-	keyRequest := struct {
-		Capabilities  KeyCapabilities `json:"capabilities"`
-		ExpirySeconds int64           `json:"expirySeconds,omitempty"`
-	}{caps, int64(expirySeconds)}
-	bs, err := json.Marshal(keyRequest)
-	if err != nil {
-		return "", nil, err
-	}
-
-	path := fmt.Sprintf("%s/api/v2/tailnet/%s/keys", c.baseURL(), c.tailnet)
-	req, err := http.NewRequestWithContext(ctx, "POST", path, bytes.NewReader(bs))
-	if err != nil {
-		return "", nil, err
-	}
-
-	b, resp, err := c.sendRequest(req)
-	if err != nil {
-		return "", nil, err
-	}
-	if resp.StatusCode != http.StatusOK {
-		return "", nil, handleErrorResponse(b, resp)
-	}
-
-	var key struct {
-		Key
-		Secret string `json:"key"`
-	}
-	if err := json.Unmarshal(b, &key); err != nil {
-		return "", nil, err
-	}
-	return key.Secret, &key.Key, nil
-}
-
-// Key returns the metadata for the given key ID. Currently, capabilities are
-// only returned for auth keys, API keys only return general metadata.
-func (c *Client) Key(ctx context.Context, id string) (*Key, error) {
-	path := fmt.Sprintf("%s/api/v2/tailnet/%s/keys/%s", c.baseURL(), c.tailnet, id)
-	req, err := http.NewRequestWithContext(ctx, "GET", path, nil)
-	if err != nil {
-		return nil, err
-	}
-
-	b, resp, err := c.sendRequest(req)
-	if err != nil {
-		return nil, err
-	}
-	if resp.StatusCode != http.StatusOK {
-		return nil, handleErrorResponse(b, resp)
-	}
-
-	var key Key
-	if err := json.Unmarshal(b, &key); err != nil {
-		return nil, err
-	}
-	return &key, nil
-}
-
-// DeleteKey deletes the key with the given ID.
-func (c *Client) DeleteKey(ctx context.Context, id string) error {
-	path := fmt.Sprintf("%s/api/v2/tailnet/%s/keys/%s", c.baseURL(), c.tailnet, id)
-	req, err := http.NewRequestWithContext(ctx, "DELETE", path, nil)
-	if err != nil {
-		return err
-	}
-
-	b, resp, err := c.sendRequest(req)
-	if err != nil {
-		return err
-	}
-	if resp.StatusCode != http.StatusOK {
-		return handleErrorResponse(b, resp)
-	}
-	return nil
-}

client/tailscale/localclient_test.go

@@ -1,27 +0,0 @@
-// Copyright (c) Tailscale Inc & AUTHORS
-// SPDX-License-Identifier: BSD-3-Clause
-
-//go:build go1.19
-
-package tailscale
-
-import "testing"
-
-func TestGetServeConfigFromJSON(t *testing.T) {
-	sc, err := getServeConfigFromJSON([]byte("null"))
-	if sc != nil {
-		t.Errorf("want nil for null")
-	}
-	if err != nil {
-		t.Errorf("reading null: %v", err)
-	}
-
-	sc, err = getServeConfigFromJSON([]byte(`{"TCP":{}}`))
-	if err != nil {
-		t.Errorf("reading object: %v", err)
-	} else if sc == nil {
-		t.Errorf("want non-nil for object")
-	} else if sc.TCP == nil {
-		t.Errorf("want non-nil TCP for object")
-	}
-}

client/tailscale/required_version.go

@@ -1,10 +0,0 @@
-// Copyright (c) Tailscale Inc & AUTHORS
-// SPDX-License-Identifier: BSD-3-Clause
-
-//go:build !go1.21
-
-package tailscale
-
-func init() {
-	you_need_Go_1_21_to_compile_Tailscale()
-}

client/tailscale/routes.go

@@ -1,95 +0,0 @@
-// Copyright (c) Tailscale Inc & AUTHORS
-// SPDX-License-Identifier: BSD-3-Clause
-
-//go:build go1.19
-
-package tailscale
-
-import (
-	"bytes"
-	"context"
-	"encoding/json"
-	"fmt"
-	"net/http"
-	"net/netip"
-)
-
-// Routes contains the lists of subnet routes that are currently advertised by a device,
-// as well as the subnets that are enabled to be routed by the device.
-type Routes struct {
-	AdvertisedRoutes []netip.Prefix `json:"advertisedRoutes"`
-	EnabledRoutes    []netip.Prefix `json:"enabledRoutes"`
-}
-
-// Routes retrieves the list of subnet routes that have been enabled for a device.
-// The routes that are returned are not necessarily advertised by the device,
-// they have only been preapproved.
-func (c *Client) Routes(ctx context.Context, deviceID string) (routes *Routes, err error) {
-	defer func() {
-		if err != nil {
-			err = fmt.Errorf("tailscale.Routes: %w", err)
-		}
-	}()
-
-	path := fmt.Sprintf("%s/api/v2/device/%s/routes", c.baseURL(), deviceID)
-	req, err := http.NewRequestWithContext(ctx, "GET", path, nil)
-	if err != nil {
-		return nil, err
-	}
-
-	b, resp, err := c.sendRequest(req)
-	if err != nil {
-		return nil, err
-	}
-	// If status code was not successful, return the error.
-	// TODO: Change the check for the StatusCode to include other 2XX success codes.
-	if resp.StatusCode != http.StatusOK {
-		return nil, handleErrorResponse(b, resp)
-	}
-
-	var sr Routes
-	err = json.Unmarshal(b, &sr)
-	return &sr, err
-}
-
-type postRoutesParams struct {
-	Routes []netip.Prefix `json:"routes"`
-}
-
-// SetRoutes updates the list of subnets that are enabled for a device.
-// Subnets must be parsable by net/netip.ParsePrefix.
-// Subnets do not have to be currently advertised by a device, they may be pre-enabled.
-// Returns the updated list of enabled and advertised subnet routes in a *Routes object.
-func (c *Client) SetRoutes(ctx context.Context, deviceID string, subnets []netip.Prefix) (routes *Routes, err error) {
-	defer func() {
-		if err != nil {
-			err = fmt.Errorf("tailscale.SetRoutes: %w", err)
-		}
-	}()
-	params := &postRoutesParams{Routes: subnets}
-	data, err := json.Marshal(params)
-	if err != nil {
-		return nil, err
-	}
-	path := fmt.Sprintf("%s/api/v2/device/%s/routes", c.baseURL(), deviceID)
-	req, err := http.NewRequestWithContext(ctx, "POST", path, bytes.NewBuffer(data))
-	if err != nil {
-		return nil, err
-	}
-
-	b, resp, err := c.sendRequest(req)
-	if err != nil {
-		return nil, err
-	}
-	// If status code was not successful, return the error.
-	// TODO: Change the check for the StatusCode to include other 2XX success codes.
-	if resp.StatusCode != http.StatusOK {
-		return nil, handleErrorResponse(b, resp)
-	}
-
-	var srr *Routes
-	if err := json.Unmarshal(b, &srr); err != nil {
-		return nil, err
-	}
-	return srr, err
-}

client/tailscale/tailnet.go

@@ -1,42 +0,0 @@
-// Copyright (c) Tailscale Inc & AUTHORS
-// SPDX-License-Identifier: BSD-3-Clause
-
-//go:build go1.19
-
-package tailscale
-
-import (
-	"context"
-	"fmt"
-	"net/http"
-	"net/url"
-
-	"tailscale.com/util/httpm"
-)
-
-// TailnetDeleteRequest handles sending a DELETE request for a tailnet to control.
-func (c *Client) TailnetDeleteRequest(ctx context.Context, tailnetID string) (err error) {
-	defer func() {
-		if err != nil {
-			err = fmt.Errorf("tailscale.DeleteTailnet: %w", err)
-		}
-	}()
-
-	path := fmt.Sprintf("%s/api/v2/tailnet/%s", c.baseURL(), url.PathEscape(string(tailnetID)))
-	req, err := http.NewRequestWithContext(ctx, httpm.DELETE, path, nil)
-	if err != nil {
-		return err
-	}
-
-	c.setAuth(req)
-	b, resp, err := c.sendRequest(req)
-	if err != nil {
-		return err
-	}
-
-	if resp.StatusCode != http.StatusOK {
-		return handleErrorResponse(b, resp)
-	}
-
-	return nil
-}

client/tailscale/tailscale.go

@@ -1,157 +0,0 @@
-// Copyright (c) Tailscale Inc & AUTHORS
-// SPDX-License-Identifier: BSD-3-Clause
-
-//go:build go1.19
-
-// Package tailscale contains Go clients for the Tailscale LocalAPI and
-// Tailscale control plane API.
-//
-// Warning: this package is in development and makes no API compatibility
-// promises as of 2022-04-29. It is subject to change at any time.
-package tailscale
-
-import (
-	"encoding/json"
-	"errors"
-	"fmt"
-	"io"
-	"net/http"
-)
-
-// I_Acknowledge_This_API_Is_Unstable must be set true to use this package
-// for now. It was added 2022-04-29 when it was moved to this git repo
-// and will be removed when the public API has settled.
-//
-// TODO(bradfitz): remove this after the we're happy with the public API.
-var I_Acknowledge_This_API_Is_Unstable = false
-
-// TODO: use url.PathEscape() for deviceID and tailnets when constructing requests.
-
-const defaultAPIBase = "https://api.tailscale.com"
-
-// maxSize is the maximum read size (10MB) of responses from the server.
-const maxReadSize = 10 << 20
-
-// Client makes API calls to the Tailscale control plane API server.
-//
-// Use NewClient to instantiate one. Exported fields should be set before
-// the client is used and not changed thereafter.
-type Client struct {
-	// tailnet is the globally unique identifier for a Tailscale network, such
-	// as "example.com" or "user@gmail.com".
-	tailnet string
-	// auth is the authentication method to use for this client.
-	// nil means none, which generally won't work, but won't crash.
-	auth AuthMethod
-
-	// BaseURL optionally specifies an alternate API server to use.
-	// If empty, "https://api.tailscale.com" is used.
-	BaseURL string
-
-	// HTTPClient optionally specifies an alternate HTTP client to use.
-	// If nil, http.DefaultClient is used.
-	HTTPClient *http.Client
-}
-
-func (c *Client) httpClient() *http.Client {
-	if c.HTTPClient != nil {
-		return c.HTTPClient
-	}
-	return http.DefaultClient
-}
-
-func (c *Client) baseURL() string {
-	if c.BaseURL != "" {
-		return c.BaseURL
-	}
-	return defaultAPIBase
-}
-
-// AuthMethod is the interface for API authentication methods.
-//
-// Most users will use AuthKey.
-type AuthMethod interface {
-	modifyRequest(req *http.Request)
-}
-
-// APIKey is an AuthMethod for NewClient that authenticates requests
-// using an authkey.
-type APIKey string
-
-func (ak APIKey) modifyRequest(req *http.Request) {
-	req.SetBasicAuth(string(ak), "")
-}
-
-func (c *Client) setAuth(r *http.Request) {
-	if c.auth != nil {
-		c.auth.modifyRequest(r)
-	}
-}
-
-// NewClient is a convenience method for instantiating a new Client.
-//
-// tailnet is the globally unique identifier for a Tailscale network, such
-// as "example.com" or "user@gmail.com".
-// If httpClient is nil, then http.DefaultClient is used.
-// "api.tailscale.com" is set as the BaseURL for the returned client
-// and can be changed manually by the user.
-func NewClient(tailnet string, auth AuthMethod) *Client {
-	return &Client{
-		tailnet: tailnet,
-		auth:    auth,
-	}
-}
-
-func (c *Client) Tailnet() string { return c.tailnet }
-
-// Do sends a raw HTTP request, after adding any authentication headers.
-func (c *Client) Do(req *http.Request) (*http.Response, error) {
-	if !I_Acknowledge_This_API_Is_Unstable {
-		return nil, errors.New("use of Client without setting I_Acknowledge_This_API_Is_Unstable")
-	}
-	c.setAuth(req)
-	return c.httpClient().Do(req)
-}
-
-// sendRequest add the authentication key to the request and sends it. It
-// receives the response and reads up to 10MB of it.
-func (c *Client) sendRequest(req *http.Request) ([]byte, *http.Response, error) {
-	if !I_Acknowledge_This_API_Is_Unstable {
-		return nil, nil, errors.New("use of Client without setting I_Acknowledge_This_API_Is_Unstable")
-	}
-	c.setAuth(req)
-	resp, err := c.httpClient().Do(req)
-	if err != nil {
-		return nil, resp, err
-	}
-	defer resp.Body.Close()
-
-	// Read response. Limit the response to 10MB.
-	body := io.LimitReader(resp.Body, maxReadSize+1)
-	b, err := io.ReadAll(body)
-	if len(b) > maxReadSize {
-		err = errors.New("API response too large")
-	}
-	return b, resp, err
-}
-
-// ErrResponse is the HTTP error returned by the Tailscale server.
-type ErrResponse struct {
-	Status  int
-	Message string
-}
-
-func (e ErrResponse) Error() string {
-	return fmt.Sprintf("Status: %d, Message: %q", e.Status, e.Message)
-}
-
-// handleErrorResponse decodes the error message from the server and returns
-// an ErrResponse from it.
-func handleErrorResponse(b []byte, resp *http.Response) error {
-	var errResp ErrResponse
-	if err := json.Unmarshal(b, &errResp); err != nil {
-		return err
-	}
-	errResp.Status = resp.StatusCode
-	return errResp
-}

client/web/dev.go

@@ -1,75 +0,0 @@
-// Copyright (c) Tailscale Inc & AUTHORS
-// SPDX-License-Identifier: BSD-3-Clause
-
-package web
-
-import (
-	"log"
-	"net/http"
-	"net/http/httputil"
-	"net/url"
-	"os"
-	"os/exec"
-	"path/filepath"
-	"strings"
-)
-
-// startDevServer starts the JS dev server that does on-demand rebuilding
-// and serving of web client JS and CSS resources.
-func (s *Server) startDevServer() (cleanup func()) {
-	root := gitRootDir()
-	webClientPath := filepath.Join(root, "client", "web")
-
-	yarn := filepath.Join(root, "tool", "yarn")
-	node := filepath.Join(root, "tool", "node")
-	vite := filepath.Join(webClientPath, "node_modules", ".bin", "vite")
-
-	log.Printf("installing JavaScript deps using %s... (might take ~30s)", yarn)
-	out, err := exec.Command(yarn, "--non-interactive", "-s", "--cwd", webClientPath, "install").CombinedOutput()
-	if err != nil {
-		log.Fatalf("error running tailscale web's yarn install: %v, %s", err, out)
-	}
-	log.Printf("starting JavaScript dev server...")
-	cmd := exec.Command(node, vite)
-	cmd.Dir = webClientPath
-	cmd.Stdout = os.Stdout
-	cmd.Stderr = os.Stderr
-	if err := cmd.Start(); err != nil {
-		log.Fatalf("Starting JS dev server: %v", err)
-	}
-	log.Printf("JavaScript dev server running as pid %d", cmd.Process.Pid)
-	return func() {
-		cmd.Process.Signal(os.Interrupt)
-		err := cmd.Wait()
-		log.Printf("JavaScript dev server exited: %v", err)
-	}
-}
-
-func (s *Server) addProxyToDevServer() {
-	if !s.devMode {
-		return // only using Vite proxy in dev mode
-	}
-	// We use Vite to develop on the web client.
-	// Vite starts up its own local server for development,
-	// which we proxy requests to from Server.ServeHTTP.
-	// Here we set up the proxy to Vite's server.
-	handleErr := func(w http.ResponseWriter, r *http.Request, err error) {
-		w.Header().Set("Content-Type", "text/plain")
-		w.WriteHeader(http.StatusBadGateway)
-		w.Write([]byte("The web client development server isn't running. " +
-			"Run `./tool/yarn --cwd client/web start` from " +
-			"the repo root to start the development server."))
-		w.Write([]byte("\n\nError: " + err.Error()))
-	}
-	viteTarget, _ := url.Parse("http://127.0.0.1:4000")
-	s.devProxy = httputil.NewSingleHostReverseProxy(viteTarget)
-	s.devProxy.ErrorHandler = handleErr
-}
-
-func gitRootDir() string {
-	top, err := exec.Command("git", "rev-parse", "--show-toplevel").Output()
-	if err != nil {
-		log.Fatalf("failed to find git top level (not in corp git?): %v", err)
-	}
-	return strings.TrimSpace(string(top))
-}

client/web/index.html

@@ -1,29 +0,0 @@
-<!doctype html>
-<html class="bg-gray-50">
-  <head>
-    <title>Tailscale</title>
-    <meta charset="utf-8" />
-    <meta name="viewport" content="width=device-width, initial-scale=1" />
-    <link rel="shortcut icon" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAACAAAAAgCAQAAADZc7J/AAAABGdBTUEAALGPC/xhBQAAACBjSFJNAAB6JgAAgIQAAPoAAACA6AAAdTAAAOpgAAA6mAAAF3CculE8AAAAAmJLR0QA/4ePzL8AAAAHdElNRQflAx4QGA4EvmzDAAAA30lEQVRIx2NgGAWMCKa8JKM4A8Ovt88ekyLCDGOoyDBJMjExMbFy8zF8/EKsCAMDE8yAPyIwFps48SJIBpAL4AZwvoSx/r0lXgQpDN58EWL5x/7/H+vL20+JFxluQKVe5b3Ke5V+0kQQCamfoYKBg4GDwUKI8d0BYkWQkrLKewYBKPPDHUFiRaiZkBgmwhj/F5IgggyUJ6i8V3mv0kCayDAAeEsklXqGAgYGhgV3CnGrwVciYSYk0kokhgS44/JxqqFpiYSZbEgskd4dEBRk1GD4wdB5twKXmlHAwMDAAACdEZau06NQUwAAACV0RVh0ZGF0ZTpjcmVhdGUAMjAyMC0wNy0xNVQxNTo1Mzo0MCswMDowMCVXsDIAAAAldEVYdGRhdGU6bW9kaWZ5ADIwMjAtMDctMTVUMTU6NTM6NDArMDA6MDBUCgiOAAAAAElFTkSuQmCC" />
-    <link rel="stylesheet" type="text/css" href="/src/index.css" />
-  </head>
-  <body>
-    <div class="min-h-screen py-10 flex justify-center items-center" style="display: none">
-      <div class="max-w-md">
-        <h3 class="font-semibold text-lg mb-4">Your web browser is unsupported.</h3>
-        <p class="mb-2">
-          Update to a modern browser to access the Tailscale web client. You can use
-          <a class="link" href="https://www.mozilla.org/en-US/firefox/new/" target="_blank">Firefox</a>,
-          <a class="link" href="https://www.microsoft.com/en-us/edge" target="_blank">Edge</a>,
-          <a class="link" href="https://www.apple.com/safari/" target="_blank">Safari</a>,
-          or <a class="link" href="https://www.google.com/chrome/" target="_blank">Chrome</a>.</p>
-        <p>If you need any help, feel free to <a href="mailto:support+webclient@tailscale.com" class="link">contact us</a></p>
-      </div>
-    </div>
-    <noscript>
-      <p class="mb-2">You need to enable Javascript to access the Tailscale web client.</p>
-      <p>If you need any help, feel free to <a href="mailto:support+webclient@tailscale.com" class="link">contact us</a>.</p>
-    </noscript>
-    <script type="module" src="/src/index.tsx"></script>
-  </body>
-</html>

client/web/package.json

@@ -1,44 +0,0 @@
-{
-  "name": "webclient",
-  "version": "0.0.1",
-  "license": "BSD-3-Clause",
-  "engines": {
-    "node": "18.16.1",
-    "yarn": "1.22.19"
-  },
-  "private": true,
-  "dependencies": {
-    "classnames": "^2.3.1",
-    "react": "^18.2.0",
-    "react-dom": "^18.2.0"
-  },
-  "devDependencies": {
-    "@types/classnames": "^2.2.10",
-    "@types/react": "^18.0.20",
-    "@types/react-dom": "^18.0.6",
-    "@vitejs/plugin-react-swc": "^3.3.2",
-    "autoprefixer": "^10.4.15",
-    "postcss": "^8.4.27",
-    "prettier": "^2.5.1",
-    "prettier-plugin-organize-imports": "^3.2.2",
-    "tailwindcss": "^3.3.3",
-    "typescript": "^4.7.4",
-    "vite": "^4.3.9",
-    "vite-plugin-rewrite-all": "^1.0.1",
-    "vite-plugin-svgr": "^3.2.0",
-    "vite-tsconfig-paths": "^3.5.0",
-    "vitest": "^0.32.0"
-  },
-  "scripts": {
-    "build": "vite build",
-    "start": "vite",
-    "lint": "tsc --noEmit",
-    "test": "vitest",
-    "format": "prettier --write 'src/**/*.{ts,tsx}'",
-    "format-check": "prettier --check 'src/**/*.{ts,tsx}'"
-  },
-  "prettier": {
-    "semi": false,
-    "printWidth": 80
-  }
-}

client/web/postcss.config.js

@@ -1,6 +0,0 @@
-module.exports = {
-  plugins: {
-    tailwindcss: {},
-    autoprefixer: {},
-  },
-}

client/web/qnap.go

@@ -1,130 +0,0 @@
-// Copyright (c) Tailscale Inc & AUTHORS
-// SPDX-License-Identifier: BSD-3-Clause
-
-// qnap.go contains handlers and logic, such as authentication,
-// that is specific to running the web client on QNAP.
-
-package web
-
-import (
-	"crypto/tls"
-	"encoding/xml"
-	"fmt"
-	"io"
-	"log"
-	"net/http"
-	"net/url"
-)
-
-const qnapPrefix = "/cgi-bin/qpkg/Tailscale/index.cgi/"
-
-// authorizeQNAP authenticates the logged-in QNAP user and verifies
-// that they are authorized to use the web client.  It returns true if the
-// request was handled and no further processing is required.
-func authorizeQNAP(w http.ResponseWriter, r *http.Request) (handled bool) {
-	_, resp, err := qnapAuthn(r)
-	if err != nil {
-		http.Error(w, err.Error(), http.StatusUnauthorized)
-		return true
-	}
-	if resp.IsAdmin == 0 {
-		http.Error(w, "user is not an admin", http.StatusForbidden)
-		return true
-	}
-
-	return false
-}
-
-type qnapAuthResponse struct {
-	AuthPassed int    `xml:"authPassed"`
-	IsAdmin    int    `xml:"isAdmin"`
-	AuthSID    string `xml:"authSid"`
-	ErrorValue int    `xml:"errorValue"`
-}
-
-func qnapAuthn(r *http.Request) (string, *qnapAuthResponse, error) {
-	user, err := r.Cookie("NAS_USER")
-	if err != nil {
-		return "", nil, err
-	}
-	token, err := r.Cookie("qtoken")
-	if err == nil {
-		return qnapAuthnQtoken(r, user.Value, token.Value)
-	}
-	sid, err := r.Cookie("NAS_SID")
-	if err == nil {
-		return qnapAuthnSid(r, user.Value, sid.Value)
-	}
-	return "", nil, fmt.Errorf("not authenticated by any mechanism")
-}
-
-// qnapAuthnURL returns the auth URL to use by inferring where the UI is
-// running based on the request URL. This is necessary because QNAP has so
-// many options, see https://github.com/tailscale/tailscale/issues/7108
-// and https://github.com/tailscale/tailscale/issues/6903
-func qnapAuthnURL(requestUrl string, query url.Values) string {
-	in, err := url.Parse(requestUrl)
-	scheme := ""
-	host := ""
-	if err != nil || in.Scheme == "" {
-		log.Printf("Cannot parse QNAP login URL %v", err)
-
-		// try localhost and hope for the best
-		scheme = "http"
-		host = "localhost"
-	} else {
-		scheme = in.Scheme
-		host = in.Host
-	}
-
-	u := url.URL{
-		Scheme:   scheme,
-		Host:     host,
-		Path:     "/cgi-bin/authLogin.cgi",
-		RawQuery: query.Encode(),
-	}
-
-	return u.String()
-}
-
-func qnapAuthnQtoken(r *http.Request, user, token string) (string, *qnapAuthResponse, error) {
-	query := url.Values{
-		"qtoken": []string{token},
-		"user":   []string{user},
-	}
-	return qnapAuthnFinish(user, qnapAuthnURL(r.URL.String(), query))
-}
-
-func qnapAuthnSid(r *http.Request, user, sid string) (string, *qnapAuthResponse, error) {
-	query := url.Values{
-		"sid": []string{sid},
-	}
-	return qnapAuthnFinish(user, qnapAuthnURL(r.URL.String(), query))
-}
-
-func qnapAuthnFinish(user, url string) (string, *qnapAuthResponse, error) {
-	// QNAP Force HTTPS mode uses a self-signed certificate. Even importing
-	// the QNAP root CA isn't enough, the cert doesn't have a usable CN nor
-	// SAN. See https://github.com/tailscale/tailscale/issues/6903
-	tr := &http.Transport{
-		TLSClientConfig: &tls.Config{InsecureSkipVerify: true},
-	}
-	client := &http.Client{Transport: tr}
-	resp, err := client.Get(url)
-	if err != nil {
-		return "", nil, err
-	}
-	defer resp.Body.Close()
-	out, err := io.ReadAll(resp.Body)
-	if err != nil {
-		return "", nil, err
-	}
-	authResp := &qnapAuthResponse{}
-	if err := xml.Unmarshal(out, authResp); err != nil {
-		return "", nil, err
-	}
-	if authResp.AuthPassed == 0 {
-		return "", nil, fmt.Errorf("not authenticated")
-	}
-	return user, authResp, nil
-}

client/web/src/api.ts

@@ -1,32 +0,0 @@
-let csrfToken: string
-
-// apiFetch wraps the standard JS fetch function
-// with csrf header management.
-export function apiFetch(
-  input: RequestInfo | URL,
-  init?: RequestInit | undefined
-): Promise<Response> {
-  return fetch(input, {
-    ...init,
-    headers: withCsrfToken(init?.headers),
-  }).then((r) => {
-    updateCsrfToken(r)
-    if (!r.ok) {
-      return r.text().then((err) => {
-        throw new Error(err)
-      })
-    }
-    return r
-  })
-}
-
-function withCsrfToken(h?: HeadersInit): HeadersInit {
-  return { ...h, "X-CSRF-Token": csrfToken }
-}
-
-function updateCsrfToken(r: Response) {
-  const tok = r.headers.get("X-CSRF-Token")
-  if (tok) {
-    csrfToken = tok
-  }
-}

client/web/src/components/app.tsx

@@ -1,27 +0,0 @@
-import React from "react"
-import { Footer, Header, IP, State } from "src/components/legacy"
-import useNodeData from "src/hooks/node-data"
-
-export default function App() {
-  // TODO(sonia): use isPosting value from useNodeData
-  // to fill loading states.
-  const { data, updateNode } = useNodeData()
-
-  return (
-    <div className="py-14">
-      {!data ? (
-        // TODO(sonia): add a loading view
-        <div className="text-center">Loading...</div>
-      ) : (
-        <>
-          <main className="container max-w-lg mx-auto mb-8 py-6 px-8 bg-white rounded-md shadow-2xl">
-            <Header data={data} updateNode={updateNode} />
-            <IP data={data} />
-            <State data={data} updateNode={updateNode} />
-          </main>
-          <Footer data={data} />
-        </>
-      )}
-    </div>
-  )
-}

client/web/src/components/legacy.tsx

@@ -1,291 +0,0 @@
-import cx from "classnames"
-import React from "react"
-import { NodeData, NodeUpdate } from "src/hooks/node-data"
-
-// TODO(tailscale/corp#13775): legacy.tsx contains a set of components
-// that (crudely) implement the pre-2023 web client. These are implemented
-// purely to ease migration to the new React-based web client, and will
-// eventually be completely removed.
-
-export function Header({
-  data,
-  updateNode,
-}: {
-  data: NodeData
-  updateNode: (update: NodeUpdate) => void
-}) {
-  return (
-    <header className="flex justify-between items-center min-width-0 py-2 mb-8">
-      <svg
-        width="26"
-        height="26"
-        viewBox="0 0 23 23"
-        fill="none"
-        xmlns="http://www.w3.org/2000/svg"
-        className="flex-shrink-0 mr-4"
-      >
-        <circle
-          opacity="0.2"
-          cx="3.4"
-          cy="3.25"
-          r="2.7"
-          fill="currentColor"
-        ></circle>
-        <circle cx="3.4" cy="11.3" r="2.7" fill="currentColor"></circle>
-        <circle
-          opacity="0.2"
-          cx="3.4"
-          cy="19.5"
-          r="2.7"
-          fill="currentColor"
-        ></circle>
-        <circle cx="11.5" cy="11.3" r="2.7" fill="currentColor"></circle>
-        <circle cx="11.5" cy="19.5" r="2.7" fill="currentColor"></circle>
-        <circle
-          opacity="0.2"
-          cx="11.5"
-          cy="3.25"
-          r="2.7"
-          fill="currentColor"
-        ></circle>
-        <circle
-          opacity="0.2"
-          cx="19.5"
-          cy="3.25"
-          r="2.7"
-          fill="currentColor"
-        ></circle>
-        <circle cx="19.5" cy="11.3" r="2.7" fill="currentColor"></circle>
-        <circle
-          opacity="0.2"
-          cx="19.5"
-          cy="19.5"
-          r="2.7"
-          fill="currentColor"
-        ></circle>
-      </svg>
-      <div className="flex items-center justify-end space-x-2 w-2/3">
-        {data.Profile &&
-          data.Status !== "NoState" &&
-          data.Status !== "NeedsLogin" && (
-            <>
-              <div className="text-right w-full leading-4">
-                <h4 className="truncate leading-normal">
-                  {data.Profile.LoginName}
-                </h4>
-                <div className="text-xs text-gray-500 text-right">
-                  <button
-                    onClick={() => updateNode({ Reauthenticate: true })}
-                    className="hover:text-gray-700"
-                  >
-                    Switch account
-                  </button>{" "}
-                  |{" "}
-                  <button
-                    onClick={() => updateNode({ Reauthenticate: true })}
-                    className="hover:text-gray-700"
-                  >
-                    Reauthenticate
-                  </button>{" "}
-                  |{" "}
-                  <button
-                    onClick={() => updateNode({ ForceLogout: true })}
-                    className="hover:text-gray-700"
-                  >
-                    Logout
-                  </button>
-                </div>
-              </div>
-              <div className="relative flex-shrink-0 w-8 h-8 rounded-full overflow-hidden">
-                {data.Profile.ProfilePicURL ? (
-                  <div
-                    className="w-8 h-8 flex pointer-events-none rounded-full bg-gray-200"
-                    style={{
-                      backgroundImage: `url(${data.Profile.ProfilePicURL})`,
-                      backgroundSize: "cover",
-                    }}
-                  />
-                ) : (
-                  <div className="w-8 h-8 flex pointer-events-none rounded-full border border-gray-400 border-dashed" />
-                )}
-              </div>
-            </>
-          )}
-      </div>
-    </header>
-  )
-}
-
-export function IP(props: { data: NodeData }) {
-  const { data } = props
-
-  if (!data.IP) {
-    return null
-  }
-
-  return (
-    <>
-      <div className="border border-gray-200 bg-gray-50 rounded-md p-2 pl-3 pr-3 width-full flex items-center justify-between">
-        <div className="flex items-center min-width-0">
-          <svg
-            className="flex-shrink-0 text-gray-600 mr-3 ml-1"
-            xmlns="http://www.w3.org/2000/svg"
-            width="20"
-            height="20"
-            viewBox="0 0 24 24"
-            fill="none"
-            stroke="currentColor"
-            strokeWidth="2"
-            strokeLinecap="round"
-            strokeLinejoin="round"
-          >
-            <rect x="2" y="2" width="20" height="8" rx="2" ry="2"></rect>
-            <rect x="2" y="14" width="20" height="8" rx="2" ry="2"></rect>
-            <line x1="6" y1="6" x2="6.01" y2="6"></line>
-            <line x1="6" y1="18" x2="6.01" y2="18"></line>
-          </svg>
-          <h4 className="font-semibold truncate mr-2">
-            {data.DeviceName || "Your device"}
-          </h4>
-        </div>
-        <h5>{data.IP}</h5>
-      </div>
-      <p className="mt-1 ml-1 mb-6 text-xs text-gray-600">
-        Debug info: Tailscale {data.IPNVersion}, tun={data.TUNMode.toString()}
-        {data.IsSynology && (
-          <>
-            , DSM{data.DSMVersion}
-            {data.TUNMode || (
-              <>
-                {" "}
-                (
-                <a
-                  href="https://tailscale.com/kb/1152/synology-outbound/"
-                  className="link-underline text-gray-600"
-                  target="_blank"
-                  aria-label="Configure outbound synology traffic"
-                  rel="noopener noreferrer"
-                >
-                  outgoing access not configured
-                </a>
-                )
-              </>
-            )}
-          </>
-        )}
-      </p>
-    </>
-  )
-}
-
-export function State({
-  data,
-  updateNode,
-}: {
-  data: NodeData
-  updateNode: (update: NodeUpdate) => void
-}) {
-  switch (data.Status) {
-    case "NeedsLogin":
-    case "NoState":
-      if (data.IP) {
-        return (
-          <>
-            <div className="mb-6">
-              <p className="text-gray-700">
-                Your device's key has expired. Reauthenticate this device by
-                logging in again, or{" "}
-                <a
-                  href="https://tailscale.com/kb/1028/key-expiry"
-                  className="link"
-                  target="_blank"
-                >
-                  learn more
-                </a>
-                .
-              </p>
-            </div>
-            <button
-              onClick={() => updateNode({ Reauthenticate: true })}
-              className="button button-blue w-full mb-4"
-            >
-              Reauthenticate
-            </button>
-          </>
-        )
-      } else {
-        return (
-          <>
-            <div className="mb-6">
-              <h3 className="text-3xl font-semibold mb-3">Log in</h3>
-              <p className="text-gray-700">
-                Get started by logging in to your Tailscale network.
-                Or,&nbsp;learn&nbsp;more at{" "}
-                <a
-                  href="https://tailscale.com/"
-                  className="link"
-                  target="_blank"
-                >
-                  tailscale.com
-                </a>
-                .
-              </p>
-            </div>
-            <button
-              onClick={() => updateNode({ Reauthenticate: true })}
-              className="button button-blue w-full mb-4"
-            >
-              Log In
-            </button>
-          </>
-        )
-      }
-    case "NeedsMachineAuth":
-      return (
-        <div className="mb-4">
-          This device is authorized, but needs approval from a network admin
-          before it can connect to the network.
-        </div>
-      )
-    default:
-      return (
-        <>
-          <div className="mb-4">
-            <p>
-              You are connected! Access this device over Tailscale using the
-              device name or IP address above.
-            </p>
-          </div>
-          <button
-            className={cx("button button-medium mb-4", {
-              "button-red": data.AdvertiseExitNode,
-              "button-blue": !data.AdvertiseExitNode,
-            })}
-            id="enabled"
-            onClick={() =>
-              updateNode({ AdvertiseExitNode: !data.AdvertiseExitNode })
-            }
-          >
-            {data.AdvertiseExitNode
-              ? "Stop advertising Exit Node"
-              : "Advertise as Exit Node"}
-          </button>
-        </>
-      )
-  }
-}
-
-export function Footer(props: { data: NodeData }) {
-  const { data } = props
-
-  return (
-    <footer className="container max-w-lg mx-auto text-center">
-      <a
-        className="text-xs text-gray-500 hover:text-gray-600"
-        href={data.LicensesURL}
-      >
-        Open Source Licenses
-      </a>
-    </footer>
-  )
-}

client/web/src/hooks/node-data.ts

@@ -1,136 +0,0 @@
-import { useCallback, useEffect, useState } from "react"
-import { apiFetch } from "src/api"
-
-export type NodeData = {
-  Profile: UserProfile
-  Status: string
-  DeviceName: string
-  IP: string
-  AdvertiseExitNode: boolean
-  AdvertiseRoutes: string
-  LicensesURL: string
-  TUNMode: boolean
-  IsSynology: boolean
-  DSMVersion: number
-  IsUnraid: boolean
-  UnraidToken: string
-  IPNVersion: string
-}
-
-export type UserProfile = {
-  LoginName: string
-  DisplayName: string
-  ProfilePicURL: string
-}
-
-export type NodeUpdate = {
-  AdvertiseRoutes?: string
-  AdvertiseExitNode?: boolean
-  Reauthenticate?: boolean
-  ForceLogout?: boolean
-}
-
-// useNodeData returns basic data about the current node.
-export default function useNodeData() {
-  const [data, setData] = useState<NodeData>()
-  const [isPosting, setIsPosting] = useState<boolean>(false)
-
-  const fetchNodeData = useCallback(() => {
-    apiFetch("api/data")
-      .then((r) => r.json())
-      .then((d) => setData(d))
-      .catch((error) => console.error(error))
-  }, [setData])
-
-  const updateNode = useCallback(
-    (update: NodeUpdate) => {
-      // The contents of this function are mostly copied over
-      // from the legacy client's web.html file.
-      // It makes all data updates through one API endpoint.
-      // As we build out the web client in React,
-      // this endpoint will eventually be deprecated.
-
-      if (isPosting || !data) {
-        return
-      }
-      setIsPosting(true)
-
-      update = {
-        ...update,
-        // Default to current data value for any unset fields.
-        AdvertiseRoutes:
-          update.AdvertiseRoutes !== undefined
-            ? update.AdvertiseRoutes
-            : data.AdvertiseRoutes,
-        AdvertiseExitNode:
-          update.AdvertiseExitNode !== undefined
-            ? update.AdvertiseExitNode
-            : data.AdvertiseExitNode,
-      }
-
-      const urlParams = new URLSearchParams(window.location.search)
-      const nextParams = new URLSearchParams({ up: "true" })
-      const token = urlParams.get("SynoToken")
-      if (token) {
-        nextParams.set("SynoToken", token)
-      }
-      const search = nextParams.toString()
-      const url = `/api/data${search ? `?${search}` : ""}`
-
-      var body, contentType: string
-
-      if (data.IsUnraid) {
-        const params = new URLSearchParams()
-        params.append("csrf_token", data.UnraidToken)
-        params.append("ts_data", JSON.stringify(update))
-        body = params.toString()
-        contentType = "application/x-www-form-urlencoded;charset=UTF-8"
-      } else {
-        body = JSON.stringify(update)
-        contentType = "application/json"
-      }
-
-      apiFetch(url, {
-        method: "POST",
-        headers: { Accept: "application/json", "Content-Type": contentType },
-        body: body,
-      })
-        .then((r) => r.json())
-        .then((r) => {
-          setIsPosting(false)
-          const err = r["error"]
-          if (err) {
-            throw new Error(err)
-          }
-          const url = r["url"]
-          if (url) {
-            window.open(url, "_blank")
-          }
-          fetchNodeData()
-        })
-        .catch((err) => alert("Failed operation: " + err.message))
-    },
-    [data]
-  )
-
-  useEffect(
-    () => {
-      // Initial data load.
-      fetchNodeData()
-
-      // Refresh on browser tab focus.
-      const onVisibilityChange = () => {
-        document.visibilityState === "visible" && fetchNodeData()
-      }
-      window.addEventListener("visibilitychange", onVisibilityChange)
-      return () => {
-        // Cleanup browser tab listener.
-        window.removeEventListener("visibilitychange", onVisibilityChange)
-      }
-    },
-    // Run once.
-    []
-  )
-
-  return { data, updateNode, isPosting }
-}

client/web/src/index.css

@@ -1,130 +0,0 @@
-@tailwind base;
-@tailwind components;
-@tailwind utilities;
-
-/**
- * Non-Tailwind styles begin here.
- */
-
-.bg-gray-0 {
-  --tw-bg-opacity: 1;
-  background-color: rgba(250, 249, 248, var(--tw-bg-opacity));
-}
-
-.bg-gray-50 {
-  --tw-bg-opacity: 1;
-  background-color: rgba(249, 247, 246, var(--tw-bg-opacity));
-}
-
-html {
-  letter-spacing: -0.015em;
-  text-rendering: optimizeLegibility;
-  -webkit-font-smoothing: antialiased;
-  -moz-osx-font-smoothing: grayscale;
-}
-
-.link {
-  --text-opacity: 1;
-  color: #4b70cc;
-  color: rgba(75, 112, 204, var(--text-opacity));
-}
-
-.link:hover,
-.link:active {
-  --text-opacity: 1;
-  color: #19224a;
-  color: rgba(25, 34, 74, var(--text-opacity));
-}
-
-.link-underline {
-  text-decoration: underline;
-}
-
-.link-underline:hover,
-.link-underline:active {
-  text-decoration: none;
-}
-
-.link-muted {
-  /* same as text-gray-500 */
-  --tw-text-opacity: 1;
-  color: rgba(112, 110, 109, var(--tw-text-opacity));
-}
-
-.link-muted:hover,
-.link-muted:active {
-  /* same as text-gray-500 */
-  --tw-text-opacity: 1;
-  color: rgba(68, 67, 66, var(--tw-text-opacity));
-}
-
-.button {
-  font-weight: 500;
-  padding-top: 0.45rem;
-  padding-bottom: 0.45rem;
-  padding-left: 1rem;
-  padding-right: 1rem;
-  border-radius: 0.375rem;
-  border-width: 1px;
-  border-color: transparent;
-  transition-property: background-color, border-color, color, box-shadow;
-  transition-duration: 120ms;
-  box-shadow: 0 1px 1px rgba(0, 0, 0, 0.04);
-  min-width: 80px;
-}
-
-.button:focus {
-  outline: 0;
-  box-shadow: 0 0 0 3px rgba(66, 153, 225, 0.5);
-}
-
-.button:disabled {
-  cursor: not-allowed;
-  -webkit-user-select: none;
-  -ms-user-select: none;
-  user-select: none;
-}
-
-.button-blue {
-  --bg-opacity: 1;
-  background-color: #4b70cc;
-  background-color: rgba(75, 112, 204, var(--bg-opacity));
-  --border-opacity: 1;
-  border-color: #4b70cc;
-  border-color: rgba(75, 112, 204, var(--border-opacity));
-  --text-opacity: 1;
-  color: #fff;
-  color: rgba(255, 255, 255, var(--text-opacity));
-}
-
-.button-blue:enabled:hover {
-  --bg-opacity: 1;
-  background-color: #3f5db3;
-  background-color: rgba(63, 93, 179, var(--bg-opacity));
-  --border-opacity: 1;
-  border-color: #3f5db3;
-  border-color: rgba(63, 93, 179, var(--border-opacity));
-}
-
-.button-blue:disabled {
-  --text-opacity: 1;
-  color: #cedefd;
-  color: rgba(206, 222, 253, var(--text-opacity));
-  --bg-opacity: 1;
-  background-color: #6c94ec;
-  background-color: rgba(108, 148, 236, var(--bg-opacity));
-  --border-opacity: 1;
-  border-color: #6c94ec;
-  border-color: rgba(108, 148, 236, var(--border-opacity));
-}
-
-.button-red {
-  background-color: #d04841;
-  border-color: #d04841;
-  color: #fff;
-}
-
-.button-red:enabled:hover {
-  background-color: #b22d30;
-  border-color: #b22d30;
-}

client/web/src/index.tsx

@@ -1,16 +0,0 @@
-import React from "react"
-import { createRoot } from "react-dom/client"
-import App from "src/components/app"
-
-const rootEl = document.createElement("div")
-rootEl.id = "app-root"
-rootEl.classList.add("relative", "z-0")
-document.body.append(rootEl)
-
-const root = createRoot(rootEl)
-
-root.render(
-  <React.StrictMode>
-    <App />
-  </React.StrictMode>
-)

client/web/synology.go

@@ -1,78 +0,0 @@
-// Copyright (c) Tailscale Inc & AUTHORS
-// SPDX-License-Identifier: BSD-3-Clause
-
-// synology.go contains handlers and logic, such as authentication,
-// that is specific to running the web client on Synology.
-
-package web
-
-import (
-	"fmt"
-	"net/http"
-	"os/exec"
-	"strings"
-
-	"tailscale.com/util/groupmember"
-)
-
-const synologyPrefix = "/webman/3rdparty/Tailscale/index.cgi/"
-
-// authorizeSynology authenticates the logged-in Synology user and verifies
-// that they are authorized to use the web client.  It returns true if the
-// request was handled and no further processing is required.
-func authorizeSynology(w http.ResponseWriter, r *http.Request) (handled bool) {
-	if synoTokenRedirect(w, r) {
-		return true
-	}
-
-	// authenticate the Synology user
-	cmd := exec.Command("/usr/syno/synoman/webman/modules/authenticate.cgi")
-	out, err := cmd.CombinedOutput()
-	if err != nil {
-		http.Error(w, fmt.Sprintf("auth: %v: %s", err, out), http.StatusUnauthorized)
-		return true
-	}
-	user := strings.TrimSpace(string(out))
-
-	// check if the user is in the administrators group
-	isAdmin, err := groupmember.IsMemberOfGroup("administrators", user)
-	if err != nil {
-		http.Error(w, err.Error(), http.StatusForbidden)
-		return true
-	}
-	if !isAdmin {
-		http.Error(w, "not a member of administrators group", http.StatusForbidden)
-		return true
-	}
-
-	return false
-}
-
-func synoTokenRedirect(w http.ResponseWriter, r *http.Request) bool {
-	if r.Header.Get("X-Syno-Token") != "" {
-		return false
-	}
-	if r.URL.Query().Get("SynoToken") != "" {
-		return false
-	}
-	if r.Method == "POST" && r.FormValue("SynoToken") != "" {
-		return false
-	}
-	// We need a SynoToken for authenticate.cgi.
-	// So we tell the client to get one.
-	_, _ = fmt.Fprint(w, synoTokenRedirectHTML)
-	return true
-}
-
-const synoTokenRedirectHTML = `<html>
-Redirecting with session token...
-<script>
-  fetch("/webman/login.cgi")
-    .then(r => r.json())
-    .then(data => {
-	u = new URL(window.location)
-	u.searchParams.set("SynoToken", data.SynoToken)
-	document.location = u
-    })
-</script>
-`

client/web/tailwind.config.js

@@ -1,12 +0,0 @@
-/** @type {import('tailwindcss').Config} */
-module.exports = {
-  content: [
-    "./index.html",
-    "./src/**/*.{js,ts,jsx,tsx}",
-  ],
-  theme: {
-    extend: {},
-  },
-  plugins: [],
-}
-

client/web/tsconfig.json

@@ -1,16 +0,0 @@
-{
-  "compilerOptions": {
-    "baseUrl": ".",
-    "target": "ES2017",
-    "module": "ES2020",
-    "strict": true,
-    "sourceMap": true,
-    "isolatedModules": true,
-    "moduleResolution": "node",
-    "forceConsistentCasingInFileNames": true,
-    "allowSyntheticDefaultImports": true,
-    "jsx": "react",
-  },
-  "include": ["src/**/*"],
-  "exclude": ["node_modules"]
-}

client/web/vite.config.ts

@@ -1,69 +0,0 @@
-/// <reference types="vitest" />
-import { createLogger, defineConfig } from "vite"
-import rewrite from "vite-plugin-rewrite-all"
-import svgr from "vite-plugin-svgr"
-import paths from "vite-tsconfig-paths"
-
-// Use a custom logger that filters out Vite's logging of server URLs, since
-// they are an attractive nuisance (we run a proxy in front of Vite, and the
-// tailscale web client should be accessed through that).
-// Unfortunately there's no option to disable this logging, so the best we can
-// do it to ignore calls from a specific function.
-const filteringLogger = createLogger(undefined, { allowClearScreen: false })
-const originalInfoLog = filteringLogger.info
-filteringLogger.info = (...args) => {
-  if (new Error("ignored").stack?.includes("printServerUrls")) {
-    return
-  }
-  originalInfoLog.apply(filteringLogger, args)
-}
-
-// https://vitejs.dev/config/
-export default defineConfig({
-  base: "./",
-  plugins: [
-    paths(),
-    svgr(),
-    // By default, the Vite dev server doesn't handle dots
-    // in path names and treats them as static files.
-    // This plugin changes Vite's routing logic to fix this.
-    // See: https://github.com/vitejs/vite/issues/2415
-    rewrite(),
-  ],
-  build: {
-    outDir: "build",
-    sourcemap: true,
-  },
-  esbuild: {
-    logOverride: {
-      // Silence a warning about `this` being undefined in ESM when at the
-      // top-level. The way JSX is transpiled causes this to happen, but it
-      // isn't a problem.
-      // See: https://github.com/vitejs/vite/issues/8644
-      "this-is-undefined-in-esm": "silent",
-    },
-  },
-  server: {
-    // This needs to be 127.0.0.1 instead of localhost, because of how our
-    // Go proxy connects to it.
-    host: "127.0.0.1",
-    // If you change the port, be sure to update the proxy in adminhttp.go too.
-    port: 4000,
-    // Don't proxy the WebSocket connection used for live reloading by running
-    // it on a separate port.
-    hmr: {
-      protocol: "ws",
-      port: 4001,
-    },
-  },
-  test: {
-    exclude: ["**/node_modules/**", "**/dist/**"],
-    testTimeout: 20000,
-    environment: "jsdom",
-    deps: {
-      inline: ["date-fns", /\.wasm\?url$/],
-    },
-  },
-  clearScreen: false,
-  customLogger: filteringLogger,
-})

client/web/web.go

@@ -1,529 +0,0 @@
-// Copyright (c) Tailscale Inc & AUTHORS
-// SPDX-License-Identifier: BSD-3-Clause
-
-// Package web provides the Tailscale client for web.
-package web
-
-import (
-	"bytes"
-	"context"
-	"crypto/rand"
-	"embed"
-	"encoding/json"
-	"fmt"
-	"html/template"
-	"io"
-	"log"
-	"net/http"
-	"net/http/httputil"
-	"net/netip"
-	"os"
-	"path/filepath"
-	"strings"
-	"sync"
-
-	"github.com/gorilla/csrf"
-	"tailscale.com/client/tailscale"
-	"tailscale.com/envknob"
-	"tailscale.com/ipn"
-	"tailscale.com/ipn/ipnstate"
-	"tailscale.com/licenses"
-	"tailscale.com/net/netutil"
-	"tailscale.com/tailcfg"
-	"tailscale.com/util/httpm"
-	"tailscale.com/version/distro"
-)
-
-// This contains all files needed to build the frontend assets.
-// Because we assign this to the blank identifier, it does not actually embed the files.
-// However, this does cause `go mod vendor` to include the files when vendoring the package.
-// External packages that use the web client can `go mod vendor`, run `yarn build` to
-// build the assets, then those asset bundles will be able to be embedded.
-//
-//go:embed yarn.lock index.html *.js *.json src/*
-var _ embed.FS
-
-//go:embed web.html web.css
-var embeddedFS embed.FS
-
-var tmpls *template.Template
-
-// Server is the backend server for a Tailscale web client.
-type Server struct {
-	lc *tailscale.LocalClient
-
-	devMode  bool
-	devProxy *httputil.ReverseProxy // only filled when devMode is on
-
-	cgiMode    bool
-	cgiPath    string
-	apiHandler http.Handler // csrf-protected api handler
-
-	selfMu sync.Mutex // protects self field
-	// self is a cached NodeView of the active self node,
-	// refreshed by watching the IPN notification bus
-	// (see Server.watchSelf).
-	//
-	// self's hostname and Tailscale IP are used to verify
-	// that incoming requests to the web client api are coming
-	// from the web client frontend and not some other source.
-	// Particularly to protect against DNS rebinding attacks.
-	// self should not be used to fill data for frontend views.
-	self tailcfg.NodeView
-}
-
-// ServerOpts contains options for constructing a new Server.
-type ServerOpts struct {
-	DevMode bool
-
-	// CGIMode indicates if the server is running as a CGI script.
-	CGIMode bool
-
-	// If running in CGIMode, CGIPath is the URL path prefix to the CGI script.
-	CGIPath string
-
-	// LocalClient is the tailscale.LocalClient to use for this web server.
-	// If nil, a new one will be created.
-	LocalClient *tailscale.LocalClient
-}
-
-// NewServer constructs a new Tailscale web client server.
-// The provided context should live for the duration of the Server's lifetime.
-func NewServer(ctx context.Context, opts ServerOpts) (s *Server, cleanup func()) {
-	if opts.LocalClient == nil {
-		opts.LocalClient = &tailscale.LocalClient{}
-	}
-	s = &Server{
-		devMode: opts.DevMode,
-		lc:      opts.LocalClient,
-		cgiMode: opts.CGIMode,
-		cgiPath: opts.CGIPath,
-	}
-	cleanup = func() {}
-	if s.devMode {
-		cleanup = s.startDevServer()
-		s.addProxyToDevServer()
-
-		// Create handler for "/api" requests with CSRF protection.
-		// We don't require secure cookies, since the web client is regularly used
-		// on network appliances that are served on local non-https URLs.
-		// The client is secured by limiting the interface it listens on,
-		// or by authenticating requests before they reach the web client.
-		csrfProtect := csrf.Protect(s.csrfKey(), csrf.Secure(false))
-		s.apiHandler = csrfProtect(http.HandlerFunc(s.serveAPI))
-	}
-
-	var wg sync.WaitGroup
-	defer wg.Wait()
-	wg.Add(1)
-	go func() {
-		defer wg.Done()
-		go s.watchSelf(ctx)
-	}()
-
-	s.lc.IncrementCounter(context.Background(), "web_client_initialization", 1)
-	return s, cleanup
-}
-
-func init() {
-	tmpls = template.Must(template.New("").ParseFS(embeddedFS, "*"))
-}
-
-// watchSelf watches the IPN notification bus to refresh
-// the Server's self node cache.
-func (s *Server) watchSelf(ctx context.Context) {
-	watchCtx, cancelWatch := context.WithCancel(ctx)
-	defer cancelWatch()
-
-	watcher, err := s.lc.WatchIPNBus(watchCtx, ipn.NotifyInitialNetMap|ipn.NotifyNoPrivateKeys)
-	if err != nil {
-		log.Fatalf("lost connection to tailscaled: %v", err)
-	}
-	defer watcher.Close()
-
-	for {
-		n, err := watcher.Next()
-		if err != nil {
-			log.Fatalf("lost connection to tailscaled: %v", err)
-		}
-		if state := n.State; state != nil && *state == ipn.NeedsLogin {
-			s.updateSelf(tailcfg.NodeView{})
-			continue
-		}
-		if n.NetMap == nil {
-			continue
-		}
-		s.updateSelf(n.NetMap.SelfNode)
-	}
-}
-
-// updateSelf grabs the lock and updates s.self.
-// Then logs if anything changed.
-func (s *Server) updateSelf(self tailcfg.NodeView) {
-	s.selfMu.Lock()
-	prev := s.self
-	s.self = self
-	s.selfMu.Unlock()
-
-	var old, new tailcfg.StableNodeID
-	if prev.Valid() {
-		old = prev.StableID()
-	}
-	if s.self.Valid() {
-		new = s.self.StableID()
-	}
-	if old != new {
-		if new.IsZero() {
-			log.Printf("self node logout")
-		} else {
-			log.Printf("self node login")
-		}
-	}
-}
-
-// ServeHTTP processes all requests for the Tailscale web client.
-func (s *Server) ServeHTTP(w http.ResponseWriter, r *http.Request) {
-	// some platforms where the client runs have their own authentication
-	// and authorization mechanisms we need to work with. Do those checks first.
-	switch distro.Get() {
-	case distro.Synology:
-		if authorizeSynology(w, r) {
-			return
-		}
-	case distro.QNAP:
-		if authorizeQNAP(w, r) {
-			return
-		}
-	}
-
-	handler := s.serve
-
-	// if running in cgi mode, strip the cgi path prefix
-	if s.cgiMode {
-		prefix := s.cgiPath
-		if prefix == "" {
-			switch distro.Get() {
-			case distro.Synology:
-				prefix = synologyPrefix
-			case distro.QNAP:
-				prefix = qnapPrefix
-			}
-		}
-		if prefix != "" {
-			handler = enforcePrefix(prefix, handler)
-		}
-	}
-
-	handler(w, r)
-}
-
-func (s *Server) serve(w http.ResponseWriter, r *http.Request) {
-	if s.devMode {
-		if strings.HasPrefix(r.URL.Path, "/api/") {
-			// Pass through to other handlers via CSRF protection.
-			s.apiHandler.ServeHTTP(w, r)
-			return
-		}
-		// When in dev mode, proxy to the Vite dev server.
-		s.devProxy.ServeHTTP(w, r)
-		return
-	}
-
-	switch {
-	case r.Method == "POST":
-		s.servePostNodeUpdate(w, r)
-		return
-	default:
-		s.lc.IncrementCounter(context.Background(), "web_client_page_load", 1)
-		s.serveGetNodeData(w, r)
-		return
-	}
-}
-
-// serveAPI serves requests for the web client api.
-// It should only be called by Server.ServeHTTP, via Server.apiHandler,
-// which protects the handler using gorilla csrf.
-func (s *Server) serveAPI(w http.ResponseWriter, r *http.Request) {
-	w.Header().Set("X-CSRF-Token", csrf.Token(r))
-	path := strings.TrimPrefix(r.URL.Path, "/api")
-	switch path {
-	case "/data":
-		switch r.Method {
-		case httpm.GET:
-			s.serveGetNodeDataJSON(w, r)
-		case httpm.POST:
-			s.servePostNodeUpdate(w, r)
-		default:
-			http.Error(w, "method not allowed", http.StatusMethodNotAllowed)
-		}
-		return
-	}
-	http.Error(w, "invalid endpoint", http.StatusNotFound)
-}
-
-type nodeData struct {
-	Profile           tailcfg.UserProfile
-	Status            string
-	DeviceName        string
-	IP                string
-	AdvertiseExitNode bool
-	AdvertiseRoutes   string
-	LicensesURL       string
-	TUNMode           bool
-	IsSynology        bool
-	DSMVersion        int // 6 or 7, if IsSynology=true
-	IsUnraid          bool
-	UnraidToken       string
-	IPNVersion        string
-}
-
-func (s *Server) getNodeData(ctx context.Context) (*nodeData, error) {
-	st, err := s.lc.Status(ctx)
-	if err != nil {
-		return nil, err
-	}
-	prefs, err := s.lc.GetPrefs(ctx)
-	if err != nil {
-		return nil, err
-	}
-	profile := st.User[st.Self.UserID]
-	deviceName := strings.Split(st.Self.DNSName, ".")[0]
-	versionShort := strings.Split(st.Version, "-")[0]
-	data := &nodeData{
-		Profile:     profile,
-		Status:      st.BackendState,
-		DeviceName:  deviceName,
-		LicensesURL: licenses.LicensesURL(),
-		TUNMode:     st.TUN,
-		IsSynology:  distro.Get() == distro.Synology || envknob.Bool("TS_FAKE_SYNOLOGY"),
-		DSMVersion:  distro.DSMVersion(),
-		IsUnraid:    distro.Get() == distro.Unraid,
-		UnraidToken: os.Getenv("UNRAID_CSRF_TOKEN"),
-		IPNVersion:  versionShort,
-	}
-	exitNodeRouteV4 := netip.MustParsePrefix("0.0.0.0/0")
-	exitNodeRouteV6 := netip.MustParsePrefix("::/0")
-	for _, r := range prefs.AdvertiseRoutes {
-		if r == exitNodeRouteV4 || r == exitNodeRouteV6 {
-			data.AdvertiseExitNode = true
-		} else {
-			if data.AdvertiseRoutes != "" {
-				data.AdvertiseRoutes += ","
-			}
-			data.AdvertiseRoutes += r.String()
-		}
-	}
-	if len(st.TailscaleIPs) != 0 {
-		data.IP = st.TailscaleIPs[0].String()
-	}
-	return data, nil
-}
-
-func (s *Server) serveGetNodeData(w http.ResponseWriter, r *http.Request) {
-	data, err := s.getNodeData(r.Context())
-	if err != nil {
-		http.Error(w, err.Error(), http.StatusInternalServerError)
-		return
-	}
-	buf := new(bytes.Buffer)
-	if err := tmpls.ExecuteTemplate(buf, "web.html", data); err != nil {
-		http.Error(w, err.Error(), http.StatusInternalServerError)
-		return
-	}
-	w.Write(buf.Bytes())
-}
-
-func (s *Server) serveGetNodeDataJSON(w http.ResponseWriter, r *http.Request) {
-	data, err := s.getNodeData(r.Context())
-	if err != nil {
-		http.Error(w, err.Error(), http.StatusInternalServerError)
-		return
-	}
-	if err := json.NewEncoder(w).Encode(*data); err != nil {
-		http.Error(w, err.Error(), http.StatusInternalServerError)
-		return
-	}
-	w.Header().Set("Content-Type", "application/json")
-	return
-}
-
-type nodeUpdate struct {
-	AdvertiseRoutes   string
-	AdvertiseExitNode bool
-	Reauthenticate    bool
-	ForceLogout       bool
-}
-
-func (s *Server) servePostNodeUpdate(w http.ResponseWriter, r *http.Request) {
-	defer r.Body.Close()
-
-	st, err := s.lc.Status(r.Context())
-	if err != nil {
-		http.Error(w, err.Error(), http.StatusInternalServerError)
-		return
-	}
-
-	var postData nodeUpdate
-	type mi map[string]any
-	if err := json.NewDecoder(r.Body).Decode(&postData); err != nil {
-		w.WriteHeader(400)
-		json.NewEncoder(w).Encode(mi{"error": err.Error()})
-		return
-	}
-
-	routes, err := netutil.CalcAdvertiseRoutes(postData.AdvertiseRoutes, postData.AdvertiseExitNode)
-	if err != nil {
-		w.WriteHeader(http.StatusInternalServerError)
-		json.NewEncoder(w).Encode(mi{"error": err.Error()})
-		return
-	}
-	mp := &ipn.MaskedPrefs{
-		AdvertiseRoutesSet: true,
-		WantRunningSet:     true,
-	}
-	mp.Prefs.WantRunning = true
-	mp.Prefs.AdvertiseRoutes = routes
-	log.Printf("Doing edit: %v", mp.Pretty())
-
-	if _, err := s.lc.EditPrefs(r.Context(), mp); err != nil {
-		w.WriteHeader(http.StatusInternalServerError)
-		json.NewEncoder(w).Encode(mi{"error": err.Error()})
-		return
-	}
-
-	w.Header().Set("Content-Type", "application/json")
-	var reauth, logout bool
-	if postData.Reauthenticate {
-		reauth = true
-	}
-	if postData.ForceLogout {
-		logout = true
-	}
-	log.Printf("tailscaleUp(reauth=%v, logout=%v) ...", reauth, logout)
-	url, err := s.tailscaleUp(r.Context(), st, postData)
-	log.Printf("tailscaleUp = (URL %v, %v)", url != "", err)
-	if err != nil {
-		w.WriteHeader(http.StatusInternalServerError)
-		json.NewEncoder(w).Encode(mi{"error": err.Error()})
-		return
-	}
-	if url != "" {
-		json.NewEncoder(w).Encode(mi{"url": url})
-	} else {
-		io.WriteString(w, "{}")
-	}
-	return
-}
-
-func (s *Server) tailscaleUp(ctx context.Context, st *ipnstate.Status, postData nodeUpdate) (authURL string, retErr error) {
-	if postData.ForceLogout {
-		if err := s.lc.Logout(ctx); err != nil {
-			return "", fmt.Errorf("Logout error: %w", err)
-		}
-		return "", nil
-	}
-
-	origAuthURL := st.AuthURL
-	isRunning := st.BackendState == ipn.Running.String()
-
-	forceReauth := postData.Reauthenticate
-	if !forceReauth {
-		if origAuthURL != "" {
-			return origAuthURL, nil
-		}
-		if isRunning {
-			return "", nil
-		}
-	}
-
-	// printAuthURL reports whether we should print out the
-	// provided auth URL from an IPN notify.
-	printAuthURL := func(url string) bool {
-		return url != origAuthURL
-	}
-
-	watchCtx, cancelWatch := context.WithCancel(ctx)
-	defer cancelWatch()
-	watcher, err := s.lc.WatchIPNBus(watchCtx, 0)
-	if err != nil {
-		return "", err
-	}
-	defer watcher.Close()
-
-	go func() {
-		if !isRunning {
-			s.lc.Start(ctx, ipn.Options{})
-		}
-		if forceReauth {
-			s.lc.StartLoginInteractive(ctx)
-		}
-	}()
-
-	for {
-		n, err := watcher.Next()
-		if err != nil {
-			return "", err
-		}
-		if n.ErrMessage != nil {
-			msg := *n.ErrMessage
-			return "", fmt.Errorf("backend error: %v", msg)
-		}
-		if url := n.BrowseToURL; url != nil && printAuthURL(*url) {
-			return *url, nil
-		}
-	}
-}
-
-// csrfKey returns a key that can be used for CSRF protection.
-// If an error occurs during key creation, the error is logged and the active process terminated.
-// If the server is running in CGI mode, the key is cached to disk and reused between requests.
-// If an error occurs during key storage, the error is logged and the active process terminated.
-func (s *Server) csrfKey() []byte {
-	var csrfFile string
-
-	// if running in CGI mode, try to read from disk, but ignore errors
-	if s.cgiMode {
-		confdir, err := os.UserConfigDir()
-		if err != nil {
-			confdir = os.TempDir()
-		}
-
-		csrfFile = filepath.Join(confdir, "tailscale", "web-csrf.key")
-		key, _ := os.ReadFile(csrfFile)
-		if len(key) == 32 {
-			return key
-		}
-	}
-
-	// create a new key
-	key := make([]byte, 32)
-	if _, err := rand.Read(key); err != nil {
-		log.Fatal("error generating CSRF key: %w", err)
-	}
-
-	// if running in CGI mode, try to write the newly created key to disk, and exit if it fails.
-	if s.cgiMode {
-		if err := os.Mkdir(filepath.Dir(csrfFile), 0700); err != nil && !os.IsExist(err) {
-			log.Fatalf("unable to store CSRF key: %v", err)
-		}
-		if err := os.WriteFile(csrfFile, key, 0600); err != nil {
-			log.Fatalf("unable to store CSRF key: %v", err)
-		}
-	}
-
-	return key
-}
-
-// enforcePrefix returns a HandlerFunc that enforces a given path prefix is used in requests,
-// then strips it before invoking h.
-// Unlike http.StripPrefix, it does not return a 404 if the prefix is not present.
-// Instead, it returns a redirect to the prefix path.
-func enforcePrefix(prefix string, h http.HandlerFunc) http.HandlerFunc {
-	return func(w http.ResponseWriter, r *http.Request) {
-		if !strings.HasPrefix(r.URL.Path, prefix) {
-			http.Redirect(w, r, prefix, http.StatusFound)
-			return
-		}
-		http.StripPrefix(prefix, h).ServeHTTP(w, r)
-	}
-}

client/web/web.html

@@ -1,210 +0,0 @@
-<!doctype html>
-<html class="bg-gray-50">
-
-<head>
-	<meta charset="utf-8" />
-	<meta name="viewport" content="width=device-width, initial-scale=1" />
-	<link rel="shortcut icon"
-		href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAACAAAAAgCAQAAADZc7J/AAAABGdBTUEAALGPC/xhBQAAACBjSFJNAAB6JgAAgIQAAPoAAACA6AAAdTAAAOpgAAA6mAAAF3CculE8AAAAAmJLR0QA/4ePzL8AAAAHdElNRQflAx4QGA4EvmzDAAAA30lEQVRIx2NgGAWMCKa8JKM4A8Ovt88ekyLCDGOoyDBJMjExMbFy8zF8/EKsCAMDE8yAPyIwFps48SJIBpAL4AZwvoSx/r0lXgQpDN58EWL5x/7/H+vL20+JFxluQKVe5b3Ke5V+0kQQCamfoYKBg4GDwUKI8d0BYkWQkrLKewYBKPPDHUFiRaiZkBgmwhj/F5IgggyUJ6i8V3mv0kCayDAAeEsklXqGAgYGhgV3CnGrwVciYSYk0kokhgS44/JxqqFpiYSZbEgskd4dEBRk1GD4wdB5twKXmlHAwMDAAACdEZau06NQUwAAACV0RVh0ZGF0ZTpjcmVhdGUAMjAyMC0wNy0xNVQxNTo1Mzo0MCswMDowMCVXsDIAAAAldEVYdGRhdGU6bW9kaWZ5ADIwMjAtMDctMTVUMTU6NTM6NDArMDA6MDBUCgiOAAAAAElFTkSuQmCC" />
-	<title>Tailscale</title>
-	<style>{{template "web.css"}}</style>
-</head>
-
-<body class="py-14">
-<main class="container max-w-lg mx-auto mb-8 py-6 px-8 bg-white rounded-md shadow-2xl" style="width: 95%">
-	<header class="flex justify-between items-center min-width-0 py-2 mb-8">
-		<svg width="26" height="26" viewBox="0 0 23 23" title="Tailscale" fill="none" xmlns="http://www.w3.org/2000/svg"
-			class="flex-shrink-0 mr-4">
-			<circle opacity="0.2" cx="3.4" cy="3.25" r="2.7" fill="currentColor"></circle>
-			<circle cx="3.4" cy="11.3" r="2.7" fill="currentColor"></circle>
-			<circle opacity="0.2" cx="3.4" cy="19.5" r="2.7" fill="currentColor"></circle>
-			<circle cx="11.5" cy="11.3" r="2.7" fill="currentColor"></circle>
-			<circle cx="11.5" cy="19.5" r="2.7" fill="currentColor"></circle>
-			<circle opacity="0.2" cx="11.5" cy="3.25" r="2.7" fill="currentColor"></circle>
-			<circle opacity="0.2" cx="19.5" cy="3.25" r="2.7" fill="currentColor"></circle>
-			<circle cx="19.5" cy="11.3" r="2.7" fill="currentColor"></circle>
-			<circle opacity="0.2" cx="19.5" cy="19.5" r="2.7" fill="currentColor"></circle>
-		</svg>
-		<div class="flex items-center justify-end space-x-2 w-2/3">
-			{{ with .Profile }}
-			<div class="text-right w-full leading-4">
-				<h4 class="truncate leading-normal">{{.LoginName}}</h4>
-				<div class="text-xs text-gray-500 text-right">
-					<a href="#" class="hover:text-gray-700 js-loginButton">Switch account</a> | <a href="#"
-						class="hover:text-gray-700 js-loginButton">Reauthenticate</a> | <a href="#"
-						class="hover:text-gray-700 js-logoutButton">Logout</a>
-				</div>
-			</div>
-			{{ end }}
-			<div class="relative flex-shrink-0 w-8 h-8 rounded-full overflow-hidden">
-				{{ with .Profile.ProfilePicURL }}
-				<div class="w-8 h-8 flex pointer-events-none rounded-full bg-gray-200"
-					style="background-image: url('{{.}}'); background-size: cover;"></div>
-				{{ else }}
-				<div class="w-8 h-8 flex pointer-events-none rounded-full border border-gray-400 border-dashed"></div>
-				{{ end }}
-			</div>
-		</div>
-	</header>
-	{{ if .IP }}
-	<div
-		class="border border-gray-200 bg-gray-0 rounded-md p-2 pl-3 pr-3 width-full flex items-center justify-between">
-		<div class="flex items-center min-width-0">
-			<svg class="flex-shrink-0 text-gray-600 mr-3 ml-1" xmlns="http://www.w3.org/2000/svg" width="20" height="20"
-				viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round"
-				stroke-linejoin="round">
-				<rect x="2" y="2" width="20" height="8" rx="2" ry="2"></rect>
-				<rect x="2" y="14" width="20" height="8" rx="2" ry="2"></rect>
-				<line x1="6" y1="6" x2="6.01" y2="6"></line>
-				<line x1="6" y1="18" x2="6.01" y2="18"></line>
-			</svg>
-			<div>
-				<h4 class="font-semibold truncate mr-2">{{.DeviceName}}</h4>
-			</div>
-		</div>
-		<h5>{{.IP}}</h5>
-	</div>
-	<p class="mt-1 ml-1 mb-6 text-xs text-gray-600">
-		Debug info: Tailscale {{ .IPNVersion }}, tun={{.TUNMode}}{{ if .IsSynology }}, DSM{{ .DSMVersion}}
-			{{if not .TUNMode}}
-			(<a href="https://tailscale.com/kb/1152/synology-outbound/" class="link-underline text-gray-600" target="_blank"
-				aria-label="Configure outbound synology traffic"
-				rel="noopener noreferrer">outgoing access not configured</a>)
-			{{end}}
-		{{end}}
-	</p>
-	{{ end }}
-	{{ if or (eq .Status "NeedsLogin") (eq .Status "NoState") }}
-	{{ if .IP }}
-	<div class="mb-6">
-		<p class="text-gray-700">Your device's key has expired. Reauthenticate this device by logging in again, or <a
-				href="https://tailscale.com/kb/1028/key-expiry" class="link" target="_blank">learn more</a>.</p>
-	</div>
-	<a href="#" class="mb-4 js-loginButton" target="_blank">
-		<button class="button button-blue w-full">Reauthenticate</button>
-	</a>
-	{{ else }}
-	<div class="mb-6">
-		<h3 class="text-3xl font-semibold mb-3">Log in</h3>
-		<p class="text-gray-700">Get started by logging in to your Tailscale network. Or,&nbsp;learn&nbsp;more at <a
-				href="https://tailscale.com/" class="link" target="_blank">tailscale.com</a>.</p>
-	</div>
-	<a href="#" class="mb-4 js-loginButton" target="_blank">
-		<button class="button button-blue w-full">Log In</button>
-	</a>
-	{{ end }}
-	{{ else if eq .Status "NeedsMachineAuth" }}
-	<div class="mb-4">
-		This device is authorized, but needs approval from a network admin before it can connect to the network.
-	</div>
-	{{ else }}
-	<div class="mb-4">
-		<p>You are connected! Access this device over Tailscale using the device name or IP address above.</p>
-	</div>
-	<div class="mb-4">
-	<a href="#" class="mb-4 js-advertiseExitNode">
-		{{if .AdvertiseExitNode}}
-		<button class="button button-red button-medium" id="enabled">Stop advertising Exit Node</button>
-		{{else}}
-		<button class="button button-blue button-medium" id="enabled">Advertise as Exit Node</button>
-		{{end}}
-	</a>
-	</div>
-	{{ end }}
-</main>
-<footer class="container max-w-lg mx-auto text-center">
-	<a class="text-xs text-gray-500 hover:text-gray-600" href="{{ .LicensesURL }}">Open Source Licenses</a>
-</footer>
-<script>(function () {
-const advertiseExitNode = {{ .AdvertiseExitNode }};
-const isUnraid = {{ .IsUnraid }};
-const unraidCsrfToken = "{{ .UnraidToken }}";
-let fetchingUrl = false;
-var data = {
-	AdvertiseRoutes: "{{ .AdvertiseRoutes }}",
-	AdvertiseExitNode: advertiseExitNode,
-	Reauthenticate: false,
-	ForceLogout: false
-};
-
-function postData(e) {
-	e.preventDefault();
-
-	if (fetchingUrl) {
-		return;
-	}
-
-	fetchingUrl = true;
-	const urlParams = new URLSearchParams(window.location.search);
-	const token = urlParams.get("SynoToken");
-	const nextParams = new URLSearchParams({ up: true });
-	if (token) {
-		nextParams.set("SynoToken", token)
-	}
-	const nextUrl = new URL(window.location);
-	nextUrl.search = nextParams.toString()
-
-	let body = JSON.stringify(data);
-	let contentType = "application/json";
-
-	if (isUnraid) {
-		const params = new URLSearchParams();
-		params.append("csrf_token", unraidCsrfToken);
-		params.append("ts_data", JSON.stringify(data));
-
-		body = params.toString();
-		contentType = "application/x-www-form-urlencoded;charset=UTF-8";
-	}
-
-	const url = nextUrl.toString();
-	fetch(url, {
-		method: "POST",
-		headers: {
-			"Accept": "application/json",
-			"Content-Type": contentType,
-		},
-		body: body
-	}).then(res => res.json()).then(res => {
-		fetchingUrl = false;
-		const err = res["error"];
-		if (err) {
-			throw new Error(err);
-		}
-		const url = res["url"];
-		if (url) {
-			if(isUnraid) {
-				window.open(url, "_blank");
-			} else {
-				document.location.href = url;
-			}
-		} else {
-			location.reload();
-		}
-	}).catch(err => {
-		alert("Failed operation: " + err.message);
-	});
-}
-
-document.querySelectorAll(".js-loginButton").forEach(function (el){
-	el.addEventListener("click", function(e) {
-		data.Reauthenticate = true;
-		postData(e);
-	});
-})
-document.querySelectorAll(".js-logoutButton").forEach(function(el) {
-	el.addEventListener("click", function (e) {
-		data.ForceLogout = true;
-		postData(e);
-	});
-})
-document.querySelectorAll(".js-advertiseExitNode").forEach(function (el) {
-	el.addEventListener("click", function(e) {
-		data.AdvertiseExitNode = !advertiseExitNode;
-		postData(e);
-	});
-})
-
-})();</script>
-</body>
-
-</html>

client/web/web_test.go

@@ -1,64 +0,0 @@
-// Copyright (c) Tailscale Inc & AUTHORS
-// SPDX-License-Identifier: BSD-3-Clause
-
-package web
-
-import (
-	"net/url"
-	"testing"
-)
-
-func TestQnapAuthnURL(t *testing.T) {
-	query := url.Values{
-		"qtoken": []string{"token"},
-	}
-	tests := []struct {
-		name string
-		in   string
-		want string
-	}{
-		{
-			name: "localhost http",
-			in:   "http://localhost:8088/",
-			want: "http://localhost:8088/cgi-bin/authLogin.cgi?qtoken=token",
-		},
-		{
-			name: "localhost https",
-			in:   "https://localhost:5000/",
-			want: "https://localhost:5000/cgi-bin/authLogin.cgi?qtoken=token",
-		},
-		{
-			name: "IP http",
-			in:   "http://10.1.20.4:80/",
-			want: "http://10.1.20.4:80/cgi-bin/authLogin.cgi?qtoken=token",
-		},
-		{
-			name: "IP6 https",
-			in:   "https://[ff7d:0:1:2::1]/",
-			want: "https://[ff7d:0:1:2::1]/cgi-bin/authLogin.cgi?qtoken=token",
-		},
-		{
-			name: "hostname https",
-			in:   "https://qnap.example.com/",
-			want: "https://qnap.example.com/cgi-bin/authLogin.cgi?qtoken=token",
-		},
-		{
-			name: "invalid URL",
-			in:   "This is not a URL, it is a really really really really really really really really really really really really long string to exercise the URL truncation code in the error path.",
-			want: "http://localhost/cgi-bin/authLogin.cgi?qtoken=token",
-		},
-		{
-			name: "err != nil",
-			in:   "http://192.168.0.%31/",
-			want: "http://localhost/cgi-bin/authLogin.cgi?qtoken=token",
-		},
-	}
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			u := qnapAuthnURL(tt.in, query)
-			if u != tt.want {
-				t.Errorf("expected url: %q, got: %q", tt.want, u)
-			}
-		})
-	}
-}

clientupdate/clientupdate.go

@@ -1,960 +0,0 @@
-// Copyright (c) Tailscale Inc & AUTHORS
-// SPDX-License-Identifier: BSD-3-Clause
-
-// Package clientupdate implements tailscale client update for all supported
-// platforms. This package can be used from both tailscaled and tailscale
-// binaries.
-package clientupdate
-
-import (
-	"bufio"
-	"bytes"
-	"context"
-	"crypto/sha256"
-	"encoding/hex"
-	"encoding/json"
-	"errors"
-	"fmt"
-	"io"
-	"net/http"
-	"os"
-	"os/exec"
-	"path"
-	"path/filepath"
-	"regexp"
-	"runtime"
-	"strconv"
-	"strings"
-	"time"
-
-	"github.com/google/uuid"
-	"tailscale.com/net/tshttpproxy"
-	"tailscale.com/types/logger"
-	"tailscale.com/util/must"
-	"tailscale.com/util/winutil"
-	"tailscale.com/version"
-	"tailscale.com/version/distro"
-)
-
-const (
-	CurrentTrack  = ""
-	StableTrack   = "stable"
-	UnstableTrack = "unstable"
-)
-
-func versionToTrack(v string) (string, error) {
-	_, rest, ok := strings.Cut(v, ".")
-	if !ok {
-		return "", fmt.Errorf("malformed version %q", v)
-	}
-	minorStr, _, ok := strings.Cut(rest, ".")
-	if !ok {
-		return "", fmt.Errorf("malformed version %q", v)
-	}
-	minor, err := strconv.Atoi(minorStr)
-	if err != nil {
-		return "", fmt.Errorf("malformed version %q", v)
-	}
-	if minor%2 == 0 {
-		return "stable", nil
-	}
-	return "unstable", nil
-}
-
-type updater struct {
-	UpdateArgs
-	track  string
-	update func() error
-}
-
-// UpdateArgs contains arguments needed to run an update.
-type UpdateArgs struct {
-	// Version can be a specific version number or one of the predefined track
-	// constants:
-	//
-	//   - CurrentTrack will use the latest version from the same track as the
-	//     running binary
-	//   - StableTrack and UnstableTrack will use the latest versions of the
-	//     corresponding tracks
-	//
-	// Leaving this empty is the same as using CurrentTrack.
-	Version string
-	// AppStore forces a local app store check, even if the current binary was
-	// not installed via an app store.
-	AppStore bool
-	// Logf is a logger for update progress messages.
-	Logf logger.Logf
-	// Confirm is called when a new version is available and should return true
-	// if this new version should be installed. When Confirm returns false, the
-	// update is aborted.
-	Confirm func(newVer string) bool
-}
-
-func (args UpdateArgs) validate() error {
-	if args.Confirm == nil {
-		return errors.New("missing Confirm callback in UpdateArgs")
-	}
-	if args.Logf == nil {
-		return errors.New("missing Logf callback in UpdateArgs")
-	}
-	return nil
-}
-
-// Update runs a single update attempt using the platform-specific mechanism.
-//
-// On Windows, this copies the calling binary and re-executes it to apply the
-// update. The calling binary should handle an "update" subcommand and call
-// this function again for the re-executed binary to proceed.
-func Update(args UpdateArgs) error {
-	if err := args.validate(); err != nil {
-		return err
-	}
-	up := &updater{
-		UpdateArgs: args,
-	}
-	switch up.Version {
-	case StableTrack, UnstableTrack:
-		up.track = up.Version
-	case CurrentTrack:
-		if version.IsUnstableBuild() {
-			up.track = UnstableTrack
-		} else {
-			up.track = StableTrack
-		}
-	default:
-		var err error
-		up.track, err = versionToTrack(args.Version)
-		if err != nil {
-			return err
-		}
-	}
-	switch runtime.GOOS {
-	case "windows":
-		up.update = up.updateWindows
-	case "linux":
-		switch distro.Get() {
-		case distro.Synology:
-			up.update = up.updateSynology
-		case distro.Debian: // includes Ubuntu
-			up.update = up.updateDebLike
-		case distro.Arch:
-			up.update = up.updateArchLike
-		case distro.Alpine:
-			up.update = up.updateAlpineLike
-		}
-		switch {
-		case haveExecutable("pacman"):
-			up.update = up.updateArchLike
-		case haveExecutable("apt-get"): // TODO(awly): add support for "apt"
-			// The distro.Debian switch case above should catch most apt-based
-			// systems, but add this fallback just in case.
-			up.update = up.updateDebLike
-		case haveExecutable("dnf"):
-			up.update = up.updateFedoraLike("dnf")
-		case haveExecutable("yum"):
-			up.update = up.updateFedoraLike("yum")
-		case haveExecutable("apk"):
-			up.update = up.updateAlpineLike
-		}
-	case "darwin":
-		switch {
-		case !args.AppStore && !version.IsSandboxedMacOS():
-			return errors.ErrUnsupported
-		case !args.AppStore && strings.HasSuffix(os.Getenv("HOME"), "/io.tailscale.ipn.macsys/Data"):
-			up.update = up.updateMacSys
-		default:
-			up.update = up.updateMacAppStore
-		}
-	case "freebsd":
-		up.update = up.updateFreeBSD
-	}
-	if up.update == nil {
-		return errors.ErrUnsupported
-	}
-	return up.update()
-}
-
-func (up *updater) confirm(ver string) bool {
-	if version.Short() == ver {
-		up.Logf("already running %v; no update needed", ver)
-		return false
-	}
-	if up.Confirm != nil {
-		return up.Confirm(ver)
-	}
-	return true
-}
-
-const synoinfoConfPath = "/etc/synoinfo.conf"
-
-func (up *updater) updateSynology() error {
-	if up.Version != "" {
-		return errors.New("installing a specific version on Synology is not supported")
-	}
-
-	// Get the latest version and list of SPKs from pkgs.tailscale.com.
-	osName := fmt.Sprintf("dsm%d", distro.DSMVersion())
-	arch, err := synoArch(runtime.GOARCH, synoinfoConfPath)
-	if err != nil {
-		return err
-	}
-	latest, err := latestPackages(up.track)
-	if err != nil {
-		return err
-	}
-	if latest.Version == "" {
-		return fmt.Errorf("no latest version found for %q track", up.track)
-	}
-	spkName := latest.SPKs[osName][arch]
-	if spkName == "" {
-		return fmt.Errorf("cannot find Synology package for os=%s arch=%s, please report a bug with your device model", osName, arch)
-	}
-
-	if !up.confirm(latest.Version) {
-		return nil
-	}
-	if err := requireRoot(); err != nil {
-		return err
-	}
-
-	// Download the SPK into a temporary directory.
-	spkDir, err := os.MkdirTemp("", "tailscale-update")
-	if err != nil {
-		return err
-	}
-	url := fmt.Sprintf("https://pkgs.tailscale.com/%s/%s", up.track, spkName)
-	spkPath := filepath.Join(spkDir, path.Base(url))
-	// TODO(awly): we should sign SPKs and validate signatures here too.
-	if err := up.downloadURLToFile(url, spkPath); err != nil {
-		return err
-	}
-
-	// Install the SPK. Run via nohup to allow install to succeed when we're
-	// connected over tailscale ssh and this parent process dies. Otherwise, if
-	// you abort synopkg install mid-way, tailscaled is not restarted.
-	cmd := exec.Command("nohup", "synopkg", "install", spkPath)
-	// Don't attach cmd.Stdout to os.Stdout because nohup will redirect that
-	// into nohup.out file. synopkg doesn't have any progress output anyway, it
-	// just spits out a JSON result when done.
-	out, err := cmd.CombinedOutput()
-	if err != nil {
-		return fmt.Errorf("synopkg install failed: %w\noutput:\n%s", err, out)
-	}
-	return nil
-}
-
-// synoArch returns the Synology CPU architecture matching one of the SPK
-// architectures served from pkgs.tailscale.com.
-func synoArch(goArch, synoinfoPath string) (string, error) {
-	// Most Synology boxes just use a different arch name from GOARCH.
-	arch := map[string]string{
-		"amd64": "x86_64",
-		"386":   "i686",
-		"arm64": "armv8",
-	}[goArch]
-
-	if arch == "" {
-		// Here's the fun part, some older ARM boxes require you to use SPKs
-		// specifically for their CPU. See
-		// https://github.com/SynoCommunity/spksrc/wiki/Synology-and-SynoCommunity-Package-Architectures
-		// for a complete list.
-		//
-		// Some CPUs will map to neither this list nor the goArch map above, and we
-		// don't have SPKs for them.
-		cpu, err := parseSynoinfo(synoinfoPath)
-		if err != nil {
-			return "", fmt.Errorf("failed to get CPU architecture: %w", err)
-		}
-		switch cpu {
-		case "88f6281", "88f6282", "hi3535", "alpine", "armada370",
-			"armada375", "armada38x", "armadaxp", "comcerto2k", "monaco":
-			arch = cpu
-		default:
-			return "", fmt.Errorf("unsupported Synology CPU architecture %q (Go arch %q), please report a bug at https://github.com/tailscale/tailscale/issues/new/choose", cpu, goArch)
-		}
-	}
-	return arch, nil
-}
-
-func parseSynoinfo(path string) (string, error) {
-	f, err := os.Open(path)
-	if err != nil {
-		return "", err
-	}
-	defer f.Close()
-
-	// Look for a line like:
-	// unique="synology_88f6282_413j"
-	// Extract the CPU in the middle (88f6282 in the above example).
-	s := bufio.NewScanner(f)
-	for s.Scan() {
-		l := s.Text()
-		if !strings.HasPrefix(l, "unique=") {
-			continue
-		}
-		parts := strings.SplitN(l, "_", 3)
-		if len(parts) != 3 {
-			return "", fmt.Errorf(`malformed %q: found %q, expected format like 'unique="synology_$cpu_$model'`, path, l)
-		}
-		return parts[1], nil
-	}
-	return "", fmt.Errorf(`missing "unique=" field in %q`, path)
-}
-
-func (up *updater) updateDebLike() error {
-	ver, err := requestedTailscaleVersion(up.Version, up.track)
-	if err != nil {
-		return err
-	}
-	if !up.confirm(ver) {
-		return nil
-	}
-
-	if err := requireRoot(); err != nil {
-		return err
-	}
-
-	if updated, err := updateDebianAptSourcesList(up.track); err != nil {
-		return err
-	} else if updated {
-		up.Logf("Updated %s to use the %s track", aptSourcesFile, up.track)
-	}
-
-	cmd := exec.Command("apt-get", "update",
-		// Only update the tailscale repo, not the other ones, treating
-		// the tailscale.list file as the main "sources.list" file.
-		"-o", "Dir::Etc::SourceList=sources.list.d/tailscale.list",
-		// Disable the "sources.list.d" directory:
-		"-o", "Dir::Etc::SourceParts=-",
-		// Don't forget about packages in the other repos just because
-		// we're not updating them:
-		"-o", "APT::Get::List-Cleanup=0",
-	)
-	cmd.Stdout = os.Stdout
-	cmd.Stderr = os.Stderr
-	if err := cmd.Run(); err != nil {
-		return err
-	}
-
-	cmd = exec.Command("apt-get", "install", "--yes", "--allow-downgrades", "tailscale="+ver)
-	cmd.Stdout = os.Stdout
-	cmd.Stderr = os.Stderr
-	if err := cmd.Run(); err != nil {
-		return err
-	}
-
-	return nil
-}
-
-const aptSourcesFile = "/etc/apt/sources.list.d/tailscale.list"
-
-// updateDebianAptSourcesList updates the /etc/apt/sources.list.d/tailscale.list
-// file to make sure it has the provided track (stable or unstable) in it.
-//
-// If it already has the right track (including containing both stable and
-// unstable), it does nothing.
-func updateDebianAptSourcesList(dstTrack string) (rewrote bool, err error) {
-	was, err := os.ReadFile(aptSourcesFile)
-	if err != nil {
-		return false, err
-	}
-	newContent, err := updateDebianAptSourcesListBytes(was, dstTrack)
-	if err != nil {
-		return false, err
-	}
-	if bytes.Equal(was, newContent) {
-		return false, nil
-	}
-	return true, os.WriteFile(aptSourcesFile, newContent, 0644)
-}
-
-func updateDebianAptSourcesListBytes(was []byte, dstTrack string) (newContent []byte, err error) {
-	trackURLPrefix := []byte("https://pkgs.tailscale.com/" + dstTrack + "/")
-	var buf bytes.Buffer
-	var changes int
-	bs := bufio.NewScanner(bytes.NewReader(was))
-	hadCorrect := false
-	commentLine := regexp.MustCompile(`^\s*\#`)
-	pkgsURL := regexp.MustCompile(`\bhttps://pkgs\.tailscale\.com/((un)?stable)/`)
-	for bs.Scan() {
-		line := bs.Bytes()
-		if !commentLine.Match(line) {
-			line = pkgsURL.ReplaceAllFunc(line, func(m []byte) []byte {
-				if bytes.Equal(m, trackURLPrefix) {
-					hadCorrect = true
-				} else {
-					changes++
-				}
-				return trackURLPrefix
-			})
-		}
-		buf.Write(line)
-		buf.WriteByte('\n')
-	}
-	if hadCorrect || (changes == 1 && bytes.Equal(bytes.TrimSpace(was), bytes.TrimSpace(buf.Bytes()))) {
-		// Unchanged or close enough.
-		return was, nil
-	}
-	if changes != 1 {
-		// No changes, or an unexpected number of changes (what?). Bail.
-		// They probably editted it by hand and we don't know what to do.
-		return nil, fmt.Errorf("unexpected/unsupported %s contents", aptSourcesFile)
-	}
-	return buf.Bytes(), nil
-}
-
-func (up *updater) updateArchLike() error {
-	// Arch maintainer asked us not to implement "tailscale update" or
-	// auto-updates on Arch-based distros:
-	// https://github.com/tailscale/tailscale/issues/6995#issuecomment-1687080106
-	return errors.New(`individual package updates are not supported on Arch-based distros, only full-system updates are: https://wiki.archlinux.org/title/System_maintenance#Partial_upgrades_are_unsupported.
-you can use "pacman --sync --refresh --sysupgrade" or "pacman -Syu" to upgrade the system, including Tailscale.`)
-}
-
-const yumRepoConfigFile = "/etc/yum.repos.d/tailscale.repo"
-
-// updateFedoraLike updates tailscale on any distros in the Fedora family,
-// specifically anything that uses "dnf" or "yum" package managers. The actual
-// package manager is passed via packageManager.
-func (up *updater) updateFedoraLike(packageManager string) func() error {
-	return func() (err error) {
-		if err := requireRoot(); err != nil {
-			return err
-		}
-		defer func() {
-			if err != nil {
-				err = fmt.Errorf(`%w; you can try updating using "%s upgrade tailscale"`, err, packageManager)
-			}
-		}()
-
-		ver, err := requestedTailscaleVersion(up.Version, up.track)
-		if err != nil {
-			return err
-		}
-		if !up.confirm(ver) {
-			return nil
-		}
-
-		if updated, err := updateYUMRepoTrack(yumRepoConfigFile, up.track); err != nil {
-			return err
-		} else if updated {
-			up.Logf("Updated %s to use the %s track", yumRepoConfigFile, up.track)
-		}
-
-		cmd := exec.Command(packageManager, "install", "--assumeyes", fmt.Sprintf("tailscale-%s-1", ver))
-		cmd.Stdout = os.Stdout
-		cmd.Stderr = os.Stderr
-		if err := cmd.Run(); err != nil {
-			return err
-		}
-		return nil
-	}
-}
-
-// updateYUMRepoTrack updates the repoFile file to make sure it has the
-// provided track (stable or unstable) in it.
-func updateYUMRepoTrack(repoFile, dstTrack string) (rewrote bool, err error) {
-	was, err := os.ReadFile(repoFile)
-	if err != nil {
-		return false, err
-	}
-
-	urlRe := regexp.MustCompile(`^(baseurl|gpgkey)=https://pkgs\.tailscale\.com/(un)?stable/`)
-	urlReplacement := fmt.Sprintf("$1=https://pkgs.tailscale.com/%s/", dstTrack)
-
-	s := bufio.NewScanner(bytes.NewReader(was))
-	newContent := bytes.NewBuffer(make([]byte, 0, len(was)))
-	for s.Scan() {
-		line := s.Text()
-		// Handle repo section name, like "[tailscale-stable]".
-		if len(line) > 0 && line[0] == '[' {
-			if !strings.HasPrefix(line, "[tailscale-") {
-				return false, fmt.Errorf("%q does not look like a tailscale repo file, it contains an unexpected %q section", repoFile, line)
-			}
-			fmt.Fprintf(newContent, "[tailscale-%s]\n", dstTrack)
-			continue
-		}
-		// Update the track mentioned in repo name.
-		if strings.HasPrefix(line, "name=") {
-			fmt.Fprintf(newContent, "name=Tailscale %s\n", dstTrack)
-			continue
-		}
-		// Update the actual repo URLs.
-		if strings.HasPrefix(line, "baseurl=") || strings.HasPrefix(line, "gpgkey=") {
-			fmt.Fprintln(newContent, urlRe.ReplaceAllString(line, urlReplacement))
-			continue
-		}
-		fmt.Fprintln(newContent, line)
-	}
-	if bytes.Equal(was, newContent.Bytes()) {
-		return false, nil
-	}
-	return true, os.WriteFile(repoFile, newContent.Bytes(), 0644)
-}
-
-func (up *updater) updateAlpineLike() (err error) {
-	if up.Version != "" {
-		return errors.New("installing a specific version on Alpine-based distros is not supported")
-	}
-	if err := requireRoot(); err != nil {
-		return err
-	}
-
-	defer func() {
-		if err != nil {
-			err = fmt.Errorf(`%w; you can try updating using "apk upgrade tailscale"`, err)
-		}
-	}()
-
-	out, err := exec.Command("apk", "update").CombinedOutput()
-	if err != nil {
-		return fmt.Errorf("failed refresh apk repository indexes: %w, output: %q", err, out)
-	}
-	out, err = exec.Command("apk", "info", "tailscale").CombinedOutput()
-	if err != nil {
-		return fmt.Errorf("failed checking apk for latest tailscale version: %w, output: %q", err, out)
-	}
-	ver, err := parseAlpinePackageVersion(out)
-	if err != nil {
-		return fmt.Errorf(`failed to parse latest version from "apk info tailscale": %w`, err)
-	}
-	if !up.confirm(ver) {
-		return nil
-	}
-
-	cmd := exec.Command("apk", "upgrade", "tailscale")
-	cmd.Stdout = os.Stdout
-	cmd.Stderr = os.Stderr
-	if err := cmd.Run(); err != nil {
-		return fmt.Errorf("failed tailscale update using apk: %w", err)
-	}
-	return nil
-}
-
-func parseAlpinePackageVersion(out []byte) (string, error) {
-	s := bufio.NewScanner(bytes.NewReader(out))
-	for s.Scan() {
-		// The line should look like this:
-		// tailscale-1.44.2-r0 description:
-		line := strings.TrimSpace(s.Text())
-		if !strings.HasPrefix(line, "tailscale-") {
-			continue
-		}
-		parts := strings.SplitN(line, "-", 3)
-		if len(parts) < 3 {
-			return "", fmt.Errorf("malformed info line: %q", line)
-		}
-		return parts[1], nil
-	}
-	return "", errors.New("tailscale version not found in output")
-}
-
-func (up *updater) updateMacSys() error {
-	return errors.New("NOTREACHED: On MacSys builds, `tailscale update` is handled in Swift to launch the GUI updater")
-}
-
-func (up *updater) updateMacAppStore() error {
-	out, err := exec.Command("defaults", "read", "/Library/Preferences/com.apple.commerce.plist", "AutoUpdate").CombinedOutput()
-	if err != nil {
-		return fmt.Errorf("can't check App Store auto-update setting: %w, output: %q", err, string(out))
-	}
-	const on = "1\n"
-	if string(out) != on {
-		up.Logf("NOTE: Automatic updating for App Store apps is turned off. You can change this setting in System Settings (search for ‘update’).")
-	}
-
-	out, err = exec.Command("softwareupdate", "--list").CombinedOutput()
-	if err != nil {
-		return fmt.Errorf("can't check App Store for available updates: %w, output: %q", err, string(out))
-	}
-
-	newTailscale := parseSoftwareupdateList(out)
-	if newTailscale == "" {
-		up.Logf("no Tailscale update available")
-		return nil
-	}
-
-	newTailscaleVer := strings.TrimPrefix(newTailscale, "Tailscale-")
-	if !up.confirm(newTailscaleVer) {
-		return nil
-	}
-
-	cmd := exec.Command("sudo", "softwareupdate", "--install", newTailscale)
-	cmd.Stdout = os.Stdout
-	cmd.Stderr = os.Stderr
-	if err := cmd.Run(); err != nil {
-		return fmt.Errorf("can't install App Store update for Tailscale: %w", err)
-	}
-	return nil
-}
-
-var macOSAppStoreListPattern = regexp.MustCompile(`(?m)^\s+\*\s+Label:\s*(Tailscale-\d[\d\.]+)`)
-
-// parseSoftwareupdateList searches the output of `softwareupdate --list` on
-// Darwin and returns the matching Tailscale package label. If there is none,
-// returns the empty string.
-//
-// See TestParseSoftwareupdateList for example inputs.
-func parseSoftwareupdateList(stdout []byte) string {
-	matches := macOSAppStoreListPattern.FindSubmatch(stdout)
-	if len(matches) < 2 {
-		return ""
-	}
-	return string(matches[1])
-}
-
-// winMSIEnv is the environment variable that, if set, is the MSI file for the
-// update command to install. It's passed like this so we can stop the
-// tailscale.exe process from running before the msiexec process runs and tries
-// to overwrite ourselves.
-const winMSIEnv = "TS_UPDATE_WIN_MSI"
-
-var (
-	verifyAuthenticode func(string) error // or nil on non-Windows
-	markTempFileFunc   func(string) error // or nil on non-Windows
-)
-
-func (up *updater) updateWindows() error {
-	if msi := os.Getenv(winMSIEnv); msi != "" {
-		up.Logf("installing %v ...", msi)
-		if err := up.installMSI(msi); err != nil {
-			up.Logf("MSI install failed: %v", err)
-			return err
-		}
-		up.Logf("success.")
-		return nil
-	}
-	ver, err := requestedTailscaleVersion(up.Version, up.track)
-	if err != nil {
-		return err
-	}
-	arch := runtime.GOARCH
-	if arch == "386" {
-		arch = "x86"
-	}
-
-	if !up.confirm(ver) {
-		return nil
-	}
-	if !winutil.IsCurrentProcessElevated() {
-		return errors.New("must be run as Administrator")
-	}
-
-	tsDir := filepath.Join(os.Getenv("ProgramData"), "Tailscale")
-	msiDir := filepath.Join(tsDir, "MSICache")
-	if fi, err := os.Stat(tsDir); err != nil {
-		return fmt.Errorf("expected %s to exist, got stat error: %w", tsDir, err)
-	} else if !fi.IsDir() {
-		return fmt.Errorf("expected %s to be a directory; got %v", tsDir, fi.Mode())
-	}
-	if err := os.MkdirAll(msiDir, 0700); err != nil {
-		return err
-	}
-	url := fmt.Sprintf("https://pkgs.tailscale.com/%s/tailscale-setup-%s-%s.msi", up.track, ver, arch)
-	msiTarget := filepath.Join(msiDir, path.Base(url))
-	if err := up.downloadURLToFile(url, msiTarget); err != nil {
-		return err
-	}
-
-	up.Logf("verifying MSI authenticode...")
-	if err := verifyAuthenticode(msiTarget); err != nil {
-		return fmt.Errorf("authenticode verification of %s failed: %w", msiTarget, err)
-	}
-	up.Logf("authenticode verification succeeded")
-
-	up.Logf("making tailscale.exe copy to switch to...")
-	selfCopy, err := makeSelfCopy()
-	if err != nil {
-		return err
-	}
-	defer os.Remove(selfCopy)
-	up.Logf("running tailscale.exe copy for final install...")
-
-	cmd := exec.Command(selfCopy, "update")
-	cmd.Env = append(os.Environ(), winMSIEnv+"="+msiTarget)
-	cmd.Stdout = os.Stderr
-	cmd.Stderr = os.Stderr
-	cmd.Stdin = os.Stdin
-	if err := cmd.Start(); err != nil {
-		return err
-	}
-	// Once it's started, exit ourselves, so the binary is free
-	// to be replaced.
-	os.Exit(0)
-	panic("unreachable")
-}
-
-func (up *updater) installMSI(msi string) error {
-	var err error
-	for tries := 0; tries < 2; tries++ {
-		cmd := exec.Command("msiexec.exe", "/i", filepath.Base(msi), "/quiet", "/promptrestart", "/qn")
-		cmd.Dir = filepath.Dir(msi)
-		cmd.Stdout = os.Stdout
-		cmd.Stderr = os.Stderr
-		cmd.Stdin = os.Stdin
-		err = cmd.Run()
-		if err == nil {
-			break
-		}
-		uninstallVersion := version.Short()
-		if v := os.Getenv("TS_DEBUG_UNINSTALL_VERSION"); v != "" {
-			uninstallVersion = v
-		}
-		// Assume it's a downgrade, which msiexec won't permit. Uninstall our current version first.
-		up.Logf("Uninstalling current version %q for downgrade...", uninstallVersion)
-		cmd = exec.Command("msiexec.exe", "/x", msiUUIDForVersion(uninstallVersion), "/norestart", "/qn")
-		cmd.Stdout = os.Stdout
-		cmd.Stderr = os.Stderr
-		cmd.Stdin = os.Stdin
-		err = cmd.Run()
-		up.Logf("msiexec uninstall: %v", err)
-	}
-	return err
-}
-
-func msiUUIDForVersion(ver string) string {
-	arch := runtime.GOARCH
-	if arch == "386" {
-		arch = "x86"
-	}
-	track, err := versionToTrack(ver)
-	if err != nil {
-		track = UnstableTrack
-	}
-	msiURL := fmt.Sprintf("https://pkgs.tailscale.com/%s/tailscale-setup-%s-%s.msi", track, ver, arch)
-	return "{" + strings.ToUpper(uuid.NewSHA1(uuid.NameSpaceURL, []byte(msiURL)).String()) + "}"
-}
-
-func makeSelfCopy() (tmpPathExe string, err error) {
-	selfExe, err := os.Executable()
-	if err != nil {
-		return "", err
-	}
-	f, err := os.Open(selfExe)
-	if err != nil {
-		return "", err
-	}
-	defer f.Close()
-	f2, err := os.CreateTemp("", "tailscale-updater-*.exe")
-	if err != nil {
-		return "", err
-	}
-	if f := markTempFileFunc; f != nil {
-		if err := f(f2.Name()); err != nil {
-			return "", err
-		}
-	}
-	if _, err := io.Copy(f2, f); err != nil {
-		f2.Close()
-		return "", err
-	}
-	return f2.Name(), f2.Close()
-}
-
-func (up *updater) downloadURLToFile(urlSrc, fileDst string) (ret error) {
-	tr := http.DefaultTransport.(*http.Transport).Clone()
-	tr.Proxy = tshttpproxy.ProxyFromEnvironment
-	defer tr.CloseIdleConnections()
-	c := &http.Client{Transport: tr}
-
-	quickCtx, cancel := context.WithTimeout(context.Background(), 30*time.Second)
-	defer cancel()
-	headReq := must.Get(http.NewRequestWithContext(quickCtx, "HEAD", urlSrc, nil))
-
-	res, err := c.Do(headReq)
-	if err != nil {
-		return err
-	}
-	if res.StatusCode != http.StatusOK {
-		return fmt.Errorf("HEAD %s: %v", urlSrc, res.Status)
-	}
-	if res.ContentLength <= 0 {
-		return fmt.Errorf("HEAD %s: unexpected Content-Length %v", urlSrc, res.ContentLength)
-	}
-	up.Logf("Download size: %v", res.ContentLength)
-
-	hashReq := must.Get(http.NewRequestWithContext(quickCtx, "GET", urlSrc+".sha256", nil))
-	hashRes, err := c.Do(hashReq)
-	if err != nil {
-		return err
-	}
-	hashHex, err := io.ReadAll(io.LimitReader(hashRes.Body, 100))
-	hashRes.Body.Close()
-	if res.StatusCode != http.StatusOK {
-		return fmt.Errorf("GET %s.sha256: %v", urlSrc, res.Status)
-	}
-	if err != nil {
-		return err
-	}
-	wantHash, err := hex.DecodeString(string(strings.TrimSpace(string(hashHex))))
-	if err != nil {
-		return err
-	}
-	hash := sha256.New()
-
-	dlReq := must.Get(http.NewRequestWithContext(context.Background(), "GET", urlSrc, nil))
-	dlRes, err := c.Do(dlReq)
-	if err != nil {
-		return err
-	}
-	// TODO(bradfitz): resume from existing partial file on disk
-	if dlRes.StatusCode != http.StatusOK {
-		return fmt.Errorf("GET %s: %v", urlSrc, dlRes.Status)
-	}
-
-	of, err := os.Create(fileDst)
-	if err != nil {
-		return err
-	}
-	defer func() {
-		if ret != nil {
-			of.Close()
-			// TODO(bradfitz): os.Remove(fileDst) too? or keep it to resume from/debug later.
-		}
-	}()
-	pw := &progressWriter{total: res.ContentLength, logf: up.Logf}
-	n, err := io.Copy(io.MultiWriter(hash, of, pw), io.LimitReader(dlRes.Body, res.ContentLength))
-	if err != nil {
-		return err
-	}
-	if n != res.ContentLength {
-		return fmt.Errorf("downloaded %v; want %v", n, res.ContentLength)
-	}
-	if err := of.Close(); err != nil {
-		return err
-	}
-	pw.print()
-
-	if !bytes.Equal(hash.Sum(nil), wantHash) {
-		return fmt.Errorf("SHA-256 of downloaded MSI didn't match expected value")
-	}
-	up.Logf("hash matched")
-
-	return nil
-}
-
-type progressWriter struct {
-	done      int64
-	total     int64
-	lastPrint time.Time
-	logf      logger.Logf
-}
-
-func (pw *progressWriter) Write(p []byte) (n int, err error) {
-	pw.done += int64(len(p))
-	if time.Since(pw.lastPrint) > 2*time.Second {
-		pw.print()
-	}
-	return len(p), nil
-}
-
-func (pw *progressWriter) print() {
-	pw.lastPrint = time.Now()
-	pw.logf("Downloaded %v/%v (%.1f%%)", pw.done, pw.total, float64(pw.done)/float64(pw.total)*100)
-}
-
-func (up *updater) updateFreeBSD() (err error) {
-	if up.Version != "" {
-		return errors.New("installing a specific version on FreeBSD is not supported")
-	}
-	if err := requireRoot(); err != nil {
-		return err
-	}
-
-	defer func() {
-		if err != nil {
-			err = fmt.Errorf(`%w; you can try updating using "pkg upgrade tailscale"`, err)
-		}
-	}()
-
-	out, err := exec.Command("pkg", "update").CombinedOutput()
-	if err != nil {
-		return fmt.Errorf("failed refresh pkg repository indexes: %w, output: %q", err, out)
-	}
-	out, err = exec.Command("pkg", "rquery", "%v", "tailscale").CombinedOutput()
-	if err != nil {
-		return fmt.Errorf("failed checking pkg for latest tailscale version: %w, output: %q", err, out)
-	}
-	ver := string(bytes.TrimSpace(out))
-	if !up.confirm(ver) {
-		return nil
-	}
-
-	cmd := exec.Command("pkg", "upgrade", "tailscale")
-	cmd.Stdout = os.Stdout
-	cmd.Stderr = os.Stderr
-	if err := cmd.Run(); err != nil {
-		return fmt.Errorf("failed tailscale update using pkg: %w", err)
-	}
-	return nil
-}
-
-func haveExecutable(name string) bool {
-	path, err := exec.LookPath(name)
-	return err == nil && path != ""
-}
-
-func requestedTailscaleVersion(ver, track string) (string, error) {
-	if ver != "" {
-		return ver, nil
-	}
-	return LatestTailscaleVersion(track)
-}
-
-// LatestTailscaleVersion returns the latest released version for the given
-// track from pkgs.tailscale.com.
-func LatestTailscaleVersion(track string) (string, error) {
-	if track == CurrentTrack {
-		if version.IsUnstableBuild() {
-			track = UnstableTrack
-		} else {
-			track = StableTrack
-		}
-	}
-
-	latest, err := latestPackages(track)
-	if err != nil {
-		return "", err
-	}
-	if latest.Version == "" {
-		return "", fmt.Errorf("no latest version found for %q track", track)
-	}
-	return latest.Version, nil
-}
-
-type trackPackages struct {
-	Version  string
-	Tarballs map[string]string
-	Exes     []string
-	MSIs     map[string]string
-	MacZips  map[string]string
-	SPKs     map[string]map[string]string
-}
-
-func latestPackages(track string) (*trackPackages, error) {
-	url := fmt.Sprintf("https://pkgs.tailscale.com/%s/?mode=json&os=%s", track, runtime.GOOS)
-	res, err := http.Get(url)
-	if err != nil {
-		return nil, fmt.Errorf("fetching latest tailscale version: %w", err)
-	}
-	defer res.Body.Close()
-	var latest trackPackages
-	if err := json.NewDecoder(res.Body).Decode(&latest); err != nil {
-		return nil, fmt.Errorf("decoding JSON: %v: %w", res.Status, err)
-	}
-	return &latest, nil
-}
-
-func requireRoot() error {
-	if os.Geteuid() == 0 {
-		return nil
-	}
-	switch runtime.GOOS {
-	case "linux":
-		return errors.New("must be root; use sudo")
-	case "freebsd", "openbsd":
-		return errors.New("must be root; use doas")
-	default:
-		return errors.New("must be root")
-	}
-}

clientupdate/clientupdate_test.go

@@ -1,504 +0,0 @@
-// Copyright (c) Tailscale Inc & AUTHORS
-// SPDX-License-Identifier: BSD-3-Clause
-
-package clientupdate
-
-import (
-	"fmt"
-	"os"
-	"path/filepath"
-	"testing"
-)
-
-func TestUpdateDebianAptSourcesListBytes(t *testing.T) {
-	tests := []struct {
-		name    string
-		toTrack string
-		in      string
-		want    string // empty means want no change
-		wantErr string
-	}{
-		{
-			name:    "stable-to-unstable",
-			toTrack: UnstableTrack,
-			in:      "# Tailscale packages for debian buster\ndeb https://pkgs.tailscale.com/stable/debian bullseye main\n",
-			want:    "# Tailscale packages for debian buster\ndeb https://pkgs.tailscale.com/unstable/debian bullseye main\n",
-		},
-		{
-			name:    "stable-unchanged",
-			toTrack: StableTrack,
-			in:      "# Tailscale packages for debian buster\ndeb https://pkgs.tailscale.com/stable/debian bullseye main\n",
-		},
-		{
-			name:    "if-both-stable-and-unstable-dont-change",
-			toTrack: StableTrack,
-			in: "# Tailscale packages for debian buster\n" +
-				"deb https://pkgs.tailscale.com/stable/debian bullseye main\n" +
-				"deb https://pkgs.tailscale.com/unstable/debian bullseye main\n",
-		},
-		{
-			name:    "if-both-stable-and-unstable-dont-change-unstable",
-			toTrack: UnstableTrack,
-			in: "# Tailscale packages for debian buster\n" +
-				"deb https://pkgs.tailscale.com/stable/debian bullseye main\n" +
-				"deb https://pkgs.tailscale.com/unstable/debian bullseye main\n",
-		},
-		{
-			name:    "signed-by-form",
-			toTrack: UnstableTrack,
-			in:      "# Tailscale packages for ubuntu jammy\ndeb [signed-by=/usr/share/keyrings/tailscale-archive-keyring.gpg] https://pkgs.tailscale.com/stable/ubuntu jammy main\n",
-			want:    "# Tailscale packages for ubuntu jammy\ndeb [signed-by=/usr/share/keyrings/tailscale-archive-keyring.gpg] https://pkgs.tailscale.com/unstable/ubuntu jammy main\n",
-		},
-		{
-			name:    "unsupported-lines",
-			toTrack: UnstableTrack,
-			in:      "# Tailscale packages for ubuntu jammy\ndeb [signed-by=/usr/share/keyrings/tailscale-archive-keyring.gpg] https://pkgs.tailscale.com/foobar/ubuntu jammy main\n",
-			wantErr: "unexpected/unsupported /etc/apt/sources.list.d/tailscale.list contents",
-		},
-	}
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			newContent, err := updateDebianAptSourcesListBytes([]byte(tt.in), tt.toTrack)
-			if err != nil {
-				if err.Error() != tt.wantErr {
-					t.Fatalf("error = %v; want %q", err, tt.wantErr)
-				}
-				return
-			}
-			if tt.wantErr != "" {
-				t.Fatalf("got no error; want %q", tt.wantErr)
-			}
-			var gotChange string
-			if string(newContent) != tt.in {
-				gotChange = string(newContent)
-			}
-			if gotChange != tt.want {
-				t.Errorf("wrong result\n got: %q\nwant: %q", gotChange, tt.want)
-			}
-		})
-	}
-}
-
-func TestParseSoftwareupdateList(t *testing.T) {
-	tests := []struct {
-		name  string
-		input []byte
-		want  string
-	}{
-		{
-			name: "update-at-end-of-list",
-			input: []byte(`
-	 Software Update Tool
-
-	 Finding available software
-	 Software Update found the following new or updated software:
-			* Label: MacBookAirEFIUpdate2.4-2.4
-					 Title: MacBook Air EFI Firmware Update, Version: 2.4, Size: 3817K, Recommended: YES, Action: restart,
-			* Label: ProAppsQTCodecs-1.0
-					 Title: ProApps QuickTime codecs, Version: 1.0, Size: 968K, Recommended: YES,
-			* Label: Tailscale-1.23.4
-					 Title: The Tailscale VPN, Version: 1.23.4, Size: 1023K, Recommended: YES,
-`),
-			want: "Tailscale-1.23.4",
-		},
-		{
-			name: "update-in-middle-of-list",
-			input: []byte(`
-	 Software Update Tool
-
-	 Finding available software
-	 Software Update found the following new or updated software:
-			* Label: MacBookAirEFIUpdate2.4-2.4
-					 Title: MacBook Air EFI Firmware Update, Version: 2.4, Size: 3817K, Recommended: YES, Action: restart,
-			* Label: Tailscale-1.23.5000
-					 Title: The Tailscale VPN, Version: 1.23.4, Size: 1023K, Recommended: YES,
-			* Label: ProAppsQTCodecs-1.0
-					 Title: ProApps QuickTime codecs, Version: 1.0, Size: 968K, Recommended: YES,
-`),
-			want: "Tailscale-1.23.5000",
-		},
-		{
-			name: "update-not-in-list",
-			input: []byte(`
-	 Software Update Tool
-
-	 Finding available software
-	 Software Update found the following new or updated software:
-			* Label: MacBookAirEFIUpdate2.4-2.4
-					 Title: MacBook Air EFI Firmware Update, Version: 2.4, Size: 3817K, Recommended: YES, Action: restart,
-			* Label: ProAppsQTCodecs-1.0
-					 Title: ProApps QuickTime codecs, Version: 1.0, Size: 968K, Recommended: YES,
-`),
-			want: "",
-		},
-		{
-			name: "decoy-in-list",
-			input: []byte(`
-	 Software Update Tool
-
-	 Finding available software
-	 Software Update found the following new or updated software:
-			* Label: MacBookAirEFIUpdate2.4-2.4
-					 Title: MacBook Air EFI Firmware Update, Version: 2.4, Size: 3817K, Recommended: YES, Action: restart,
-			* Label: Malware-1.0
-					 Title: * Label: Tailscale-0.99.0, Version: 1.0, Size: 968K, Recommended: NOT REALLY TBH,
-`),
-			want: "",
-		},
-	}
-
-	for _, test := range tests {
-		t.Run(test.name, func(t *testing.T) {
-			got := parseSoftwareupdateList(test.input)
-			if test.want != got {
-				t.Fatalf("got %q, want %q", got, test.want)
-			}
-		})
-	}
-}
-
-func TestUpdateYUMRepoTrack(t *testing.T) {
-	tests := []struct {
-		desc    string
-		before  string
-		track   string
-		after   string
-		rewrote bool
-		wantErr bool
-	}{
-		{
-			desc: "same track",
-			before: `
-[tailscale-stable]
-name=Tailscale stable
-baseurl=https://pkgs.tailscale.com/stable/fedora/$basearch
-enabled=1
-type=rpm
-repo_gpgcheck=1
-gpgcheck=0
-gpgkey=https://pkgs.tailscale.com/stable/fedora/repo.gpg
-`,
-			track: StableTrack,
-			after: `
-[tailscale-stable]
-name=Tailscale stable
-baseurl=https://pkgs.tailscale.com/stable/fedora/$basearch
-enabled=1
-type=rpm
-repo_gpgcheck=1
-gpgcheck=0
-gpgkey=https://pkgs.tailscale.com/stable/fedora/repo.gpg
-`,
-		},
-		{
-			desc: "change track",
-			before: `
-[tailscale-stable]
-name=Tailscale stable
-baseurl=https://pkgs.tailscale.com/stable/fedora/$basearch
-enabled=1
-type=rpm
-repo_gpgcheck=1
-gpgcheck=0
-gpgkey=https://pkgs.tailscale.com/stable/fedora/repo.gpg
-`,
-			track: UnstableTrack,
-			after: `
-[tailscale-unstable]
-name=Tailscale unstable
-baseurl=https://pkgs.tailscale.com/unstable/fedora/$basearch
-enabled=1
-type=rpm
-repo_gpgcheck=1
-gpgcheck=0
-gpgkey=https://pkgs.tailscale.com/unstable/fedora/repo.gpg
-`,
-			rewrote: true,
-		},
-		{
-			desc: "non-tailscale repo file",
-			before: `
-[fedora]
-name=Fedora $releasever - $basearch
-#baseurl=http://download.example/pub/fedora/linux/releases/$releasever/Everything/$basearch/os/
-metalink=https://mirrors.fedoraproject.org/metalink?repo=fedora-$releasever&arch=$basearch
-enabled=1
-countme=1
-metadata_expire=7d
-repo_gpgcheck=0
-type=rpm
-gpgcheck=1
-gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-$releasever-$basearch
-skip_if_unavailable=False
-`,
-			track:   StableTrack,
-			wantErr: true,
-		},
-	}
-
-	for _, tt := range tests {
-		t.Run(tt.desc, func(t *testing.T) {
-			path := filepath.Join(t.TempDir(), "tailscale.repo")
-			if err := os.WriteFile(path, []byte(tt.before), 0644); err != nil {
-				t.Fatal(err)
-			}
-
-			rewrote, err := updateYUMRepoTrack(path, tt.track)
-			if err == nil && tt.wantErr {
-				t.Fatal("got nil error, want non-nil")
-			}
-			if err != nil && !tt.wantErr {
-				t.Fatalf("got error %q, want nil", err)
-			}
-			if err != nil {
-				return
-			}
-			if rewrote != tt.rewrote {
-				t.Errorf("got rewrote flag %v, want %v", rewrote, tt.rewrote)
-			}
-
-			after, err := os.ReadFile(path)
-			if err != nil {
-				t.Fatal(err)
-			}
-			if string(after) != tt.after {
-				t.Errorf("got repo file after update:\n%swant:\n%s", after, tt.after)
-			}
-		})
-	}
-}
-
-func TestParseAlpinePackageVersion(t *testing.T) {
-	tests := []struct {
-		desc    string
-		out     string
-		want    string
-		wantErr bool
-	}{
-		{
-			desc: "valid version",
-			out: `
-tailscale-1.44.2-r0 description:
-The easiest, most secure way to use WireGuard and 2FA
-
-tailscale-1.44.2-r0 webpage:
-https://tailscale.com/
-
-tailscale-1.44.2-r0 installed size:
-32 MiB
-`,
-			want: "1.44.2",
-		},
-		{
-			desc: "wrong package output",
-			out: `
-busybox-1.36.1-r0 description:
-Size optimized toolbox of many common UNIX utilities
-
-busybox-1.36.1-r0 webpage:
-https://busybox.net/
-
-busybox-1.36.1-r0 installed size:
-924 KiB
-`,
-			wantErr: true,
-		},
-		{
-			desc: "missing version",
-			out: `
-tailscale description:
-The easiest, most secure way to use WireGuard and 2FA
-
-tailscale webpage:
-https://tailscale.com/
-
-tailscale installed size:
-32 MiB
-`,
-			wantErr: true,
-		},
-		{
-			desc:    "empty output",
-			out:     "",
-			wantErr: true,
-		},
-	}
-
-	for _, tt := range tests {
-		t.Run(tt.desc, func(t *testing.T) {
-			got, err := parseAlpinePackageVersion([]byte(tt.out))
-			if err == nil && tt.wantErr {
-				t.Fatalf("got nil error and version %q, want non-nil error", got)
-			}
-			if err != nil && !tt.wantErr {
-				t.Fatalf("got error: %q, want nil", err)
-			}
-			if got != tt.want {
-				t.Fatalf("got version: %q, want %q", got, tt.want)
-			}
-		})
-	}
-}
-
-func TestSynoArch(t *testing.T) {
-	tests := []struct {
-		goarch         string
-		synoinfoUnique string
-		want           string
-		wantErr        bool
-	}{
-		{goarch: "amd64", synoinfoUnique: "synology_x86_224", want: "x86_64"},
-		{goarch: "arm64", synoinfoUnique: "synology_armv8_124", want: "armv8"},
-		{goarch: "386", synoinfoUnique: "synology_i686_415play", want: "i686"},
-		{goarch: "arm", synoinfoUnique: "synology_88f6281_213air", want: "88f6281"},
-		{goarch: "arm", synoinfoUnique: "synology_88f6282_413j", want: "88f6282"},
-		{goarch: "arm", synoinfoUnique: "synology_hi3535_NVR1218", want: "hi3535"},
-		{goarch: "arm", synoinfoUnique: "synology_alpine_1517", want: "alpine"},
-		{goarch: "arm", synoinfoUnique: "synology_armada370_216se", want: "armada370"},
-		{goarch: "arm", synoinfoUnique: "synology_armada375_115", want: "armada375"},
-		{goarch: "arm", synoinfoUnique: "synology_armada38x_419slim", want: "armada38x"},
-		{goarch: "arm", synoinfoUnique: "synology_armadaxp_RS815", want: "armadaxp"},
-		{goarch: "arm", synoinfoUnique: "synology_comcerto2k_414j", want: "comcerto2k"},
-		{goarch: "arm", synoinfoUnique: "synology_monaco_216play", want: "monaco"},
-		{goarch: "ppc64", synoinfoUnique: "synology_qoriq_413", wantErr: true},
-	}
-
-	for _, tt := range tests {
-		t.Run(fmt.Sprintf("%s-%s", tt.goarch, tt.synoinfoUnique), func(t *testing.T) {
-			synoinfoConfPath := filepath.Join(t.TempDir(), "synoinfo.conf")
-			if err := os.WriteFile(
-				synoinfoConfPath,
-				[]byte(fmt.Sprintf("unique=%q\n", tt.synoinfoUnique)),
-				0600,
-			); err != nil {
-				t.Fatal(err)
-			}
-			got, err := synoArch(tt.goarch, synoinfoConfPath)
-			if err != nil {
-				if !tt.wantErr {
-					t.Fatalf("got unexpected error %v", err)
-				}
-				return
-			}
-			if tt.wantErr {
-				t.Fatalf("got %q, expected an error", got)
-			}
-			if got != tt.want {
-				t.Errorf("got %q, want %q", got, tt.want)
-			}
-		})
-	}
-}
-
-func TestParseSynoinfo(t *testing.T) {
-	tests := []struct {
-		desc    string
-		content string
-		want    string
-		wantErr bool
-	}{
-		{
-			desc: "double-quoted",
-			content: `
-company_title="Synology"
-unique="synology_88f6281_213air"
-`,
-			want: "88f6281",
-		},
-		{
-			desc: "single-quoted",
-			content: `
-company_title="Synology"
-unique='synology_88f6281_213air'
-`,
-			want: "88f6281",
-		},
-		{
-			desc: "unquoted",
-			content: `
-company_title="Synology"
-unique=synology_88f6281_213air
-`,
-			want: "88f6281",
-		},
-		{
-			desc: "missing unique",
-			content: `
-company_title="Synology"
-`,
-			wantErr: true,
-		},
-		{
-			desc: "empty unique",
-			content: `
-company_title="Synology"
-unique=
-`,
-			wantErr: true,
-		},
-		{
-			desc: "empty unique double-quoted",
-			content: `
-company_title="Synology"
-unique=""
-`,
-			wantErr: true,
-		},
-		{
-			desc: "empty unique single-quoted",
-			content: `
-company_title="Synology"
-unique=''
-`,
-			wantErr: true,
-		},
-		{
-			desc: "malformed unique",
-			content: `
-company_title="Synology"
-unique="synology_88f6281"
-`,
-			wantErr: true,
-		},
-		{
-			desc:    "empty file",
-			content: ``,
-			wantErr: true,
-		},
-		{
-			desc: "empty lines and comments",
-			content: `
-
-# In a file named synoinfo? Shocking!
-company_title="Synology"
-
-
-# unique= is_a_field_that_follows
-unique="synology_88f6281_213air"
-
-`,
-			want: "88f6281",
-		},
-	}
-	for _, tt := range tests {
-		t.Run(tt.desc, func(t *testing.T) {
-			synoinfoConfPath := filepath.Join(t.TempDir(), "synoinfo.conf")
-			if err := os.WriteFile(synoinfoConfPath, []byte(tt.content), 0600); err != nil {
-				t.Fatal(err)
-			}
-			got, err := parseSynoinfo(synoinfoConfPath)
-			if err != nil {
-				if !tt.wantErr {
-					t.Fatalf("got unexpected error %v", err)
-				}
-				return
-			}
-			if tt.wantErr {
-				t.Fatalf("got %q, expected an error", got)
-			}
-			if got != tt.want {
-				t.Errorf("got %q, want %q", got, tt.want)
-			}
-		})
-	}
-}

clientupdate/clientupdate_windows.go

@@ -1,28 +0,0 @@
-// Copyright (c) Tailscale Inc & AUTHORS
-// SPDX-License-Identifier: BSD-3-Clause
-
-// Windows-specific stuff that can't go in clientupdate.go because it needs
-// x/sys/windows.
-
-package clientupdate
-
-import (
-	"golang.org/x/sys/windows"
-	"tailscale.com/util/winutil/authenticode"
-)
-
-func init() {
-	markTempFileFunc = markTempFileWindows
-	verifyAuthenticode = verifyTailscale
-}
-
-func markTempFileWindows(name string) error {
-	name16 := windows.StringToUTF16Ptr(name)
-	return windows.MoveFileEx(name16, nil, windows.MOVEFILE_DELAY_UNTIL_REBOOT)
-}
-
-const certSubjectTailscale = "Tailscale Inc."
-
-func verifyTailscale(path string) error {
-	return authenticode.Verify(path, certSubjectTailscale)
-}

clientupdate/distsign/distsign.go

@@ -1,378 +0,0 @@
-// Copyright (c) Tailscale Inc & AUTHORS
-// SPDX-License-Identifier: BSD-3-Clause
-
-// Package distsign implements signature and validation of arbitrary
-// distributable files.
-//
-// There are 3 parties in this exchange:
-//   - builder, which creates files, signs them with signing keys and publishes
-//     to server
-//   - server, which distributes public signing keys, files and signatures
-//   - client, which downloads files and signatures from server, and validates
-//     the signatures
-//
-// There are 2 types of keys:
-//   - signing keys, that sign individual distributable files on the builder
-//   - root keys, that sign signing keys and are kept offline
-//
-// root keys -(sign)-> signing keys -(sign)-> files
-//
-// All keys are asymmetric Ed25519 key pairs.
-//
-// The server serves static files under some known prefix. The kinds of files are:
-//   - distsign.pub - bundle of PEM-encoded public signing keys
-//   - distsign.pub.sig - signature of distsign.pub using one of the root keys
-//   - $file - any distributable file
-//   - $file.sig - signature of $file using any of the signing keys
-//
-// The root public keys are baked into the client software at compile time.
-// These keys are long-lived and prove the validity of current signing keys
-// from distsign.pub. To rotate root keys, a new client release must be
-// published, they are not rotated dynamically. There are multiple root keys in
-// different locations specifically to allow this rotation without using the
-// discarded root key for any new signatures.
-//
-// The signing public keys are fetched by the client dynamically before every
-// download and can be rotated more readily, assuming that most deployed
-// clients trust the root keys used to issue fresh signing keys.
-package distsign
-
-import (
-	"crypto/ed25519"
-	"crypto/rand"
-	"encoding/binary"
-	"encoding/pem"
-	"errors"
-	"fmt"
-	"hash"
-	"io"
-	"net/http"
-	"net/url"
-	"os"
-
-	"github.com/hdevalence/ed25519consensus"
-	"golang.org/x/crypto/blake2s"
-)
-
-const (
-	pemTypeRootPrivate    = "ROOT PRIVATE KEY"
-	pemTypeRootPublic     = "ROOT PUBLIC KEY"
-	pemTypeSigningPrivate = "SIGNING PRIVATE KEY"
-	pemTypeSigningPublic  = "SIGNING PUBLIC KEY"
-
-	downloadSizeLimit    = 1 << 29 // 512MB
-	signingKeysSizeLimit = 1 << 20 // 1MB
-	signatureSizeLimit   = ed25519.SignatureSize
-)
-
-// RootKey is a root key used to sign signing keys.
-type RootKey struct {
-	k ed25519.PrivateKey
-}
-
-// GenerateRootKey generates a new root key pair and encodes it as PEM.
-func GenerateRootKey() (priv, pub []byte, err error) {
-	pub, priv, err = ed25519.GenerateKey(rand.Reader)
-	if err != nil {
-		return nil, nil, err
-	}
-	return pem.EncodeToMemory(&pem.Block{
-			Type:  pemTypeRootPrivate,
-			Bytes: []byte(priv),
-		}), pem.EncodeToMemory(&pem.Block{
-			Type:  pemTypeRootPublic,
-			Bytes: []byte(pub),
-		}), nil
-}
-
-// ParseRootKey parses the PEM-encoded private root key. The key must be in the
-// same format as returned by GenerateRootKey.
-func ParseRootKey(privKey []byte) (*RootKey, error) {
-	k, err := parsePrivateKey(privKey, pemTypeRootPrivate)
-	if err != nil {
-		return nil, fmt.Errorf("failed to parse root key: %w", err)
-	}
-	return &RootKey{k: k}, nil
-}
-
-// SignSigningKeys signs the bundle of public signing keys. The bundle must be
-// a sequence of PEM blocks joined with newlines.
-func (r *RootKey) SignSigningKeys(pubBundle []byte) ([]byte, error) {
-	if _, err := ParseSigningKeyBundle(pubBundle); err != nil {
-		return nil, err
-	}
-	return ed25519.Sign(r.k, pubBundle), nil
-}
-
-// SigningKey is a signing key used to sign packages.
-type SigningKey struct {
-	k ed25519.PrivateKey
-}
-
-// GenerateSigningKey generates a new signing key pair and encodes it as PEM.
-func GenerateSigningKey() (priv, pub []byte, err error) {
-	pub, priv, err = ed25519.GenerateKey(rand.Reader)
-	if err != nil {
-		return nil, nil, err
-	}
-	return pem.EncodeToMemory(&pem.Block{
-			Type:  pemTypeSigningPrivate,
-			Bytes: []byte(priv),
-		}), pem.EncodeToMemory(&pem.Block{
-			Type:  pemTypeSigningPublic,
-			Bytes: []byte(pub),
-		}), nil
-}
-
-// ParseSigningKey parses the PEM-encoded private signing key. The key must be
-// in the same format as returned by GenerateSigningKey.
-func ParseSigningKey(privKey []byte) (*SigningKey, error) {
-	k, err := parsePrivateKey(privKey, pemTypeSigningPrivate)
-	if err != nil {
-		return nil, fmt.Errorf("failed to parse root key: %w", err)
-	}
-	return &SigningKey{k: k}, nil
-}
-
-// SignPackageHash signs the hash and the length of a package. Use PackageHash
-// to compute the inputs.
-func (s *SigningKey) SignPackageHash(hash []byte, len int64) ([]byte, error) {
-	if len <= 0 {
-		return nil, fmt.Errorf("package length must be positive, got %d", len)
-	}
-	msg := binary.LittleEndian.AppendUint64(hash, uint64(len))
-	return ed25519.Sign(s.k, msg), nil
-}
-
-// PackageHash is a hash.Hash that counts the number of bytes written. Use it
-// to get the hash and length inputs to SigningKey.SignPackageHash.
-type PackageHash struct {
-	hash.Hash
-	len int64
-}
-
-// NewPackageHash returns an initialized PackageHash using BLAKE2s.
-func NewPackageHash() *PackageHash {
-	h, err := blake2s.New256(nil)
-	if err != nil {
-		// Should never happen with a nil key passed to blake2s.
-		panic(err)
-	}
-	return &PackageHash{Hash: h}
-}
-
-func (ph *PackageHash) Write(b []byte) (int, error) {
-	ph.len += int64(len(b))
-	return ph.Hash.Write(b)
-}
-
-// Reset the PackageHash to its initial state.
-func (ph *PackageHash) Reset() {
-	ph.len = 0
-	ph.Hash.Reset()
-}
-
-// Len returns the total number of bytes written.
-func (ph *PackageHash) Len() int64 { return ph.len }
-
-// Client downloads and validates files from a distribution server.
-type Client struct {
-	roots    []ed25519.PublicKey
-	pkgsAddr *url.URL
-}
-
-// NewClient returns a new client for distribution server located at pkgsAddr,
-// and uses embedded root keys from the roots/ subdirectory of this package.
-func NewClient(pkgsAddr string) (*Client, error) {
-	u, err := url.Parse(pkgsAddr)
-	if err != nil {
-		return nil, fmt.Errorf("invalid pkgsAddr %q: %w", pkgsAddr, err)
-	}
-	return &Client{roots: roots(), pkgsAddr: u}, nil
-}
-
-func (c *Client) url(path string) string {
-	return c.pkgsAddr.JoinPath(path).String()
-}
-
-// Download fetches a file at path srcPath from pkgsAddr passed in NewClient.
-// The file is downloaded to dstPath and its signature is validated using the
-// embedded root keys. Download returns an error if anything goes wrong with
-// the actual file download or with signature validation.
-func (c *Client) Download(srcPath, dstPath string) error {
-	// Always fetch a fresh signing key.
-	sigPub, err := c.signingKeys()
-	if err != nil {
-		return err
-	}
-
-	srcURL := c.url(srcPath)
-	sigURL := srcURL + ".sig"
-
-	dstPathUnverified := dstPath + ".unverified"
-	hash, len, err := download(srcURL, dstPathUnverified, downloadSizeLimit)
-	if err != nil {
-		return err
-	}
-	sig, err := fetch(sigURL, signatureSizeLimit)
-	if err != nil {
-		// Best-effort clean up of downloaded package.
-		os.Remove(dstPathUnverified)
-		return err
-	}
-	msg := binary.LittleEndian.AppendUint64(hash, uint64(len))
-	if !VerifyAny(sigPub, msg, sig) {
-		// Best-effort clean up of downloaded package.
-		os.Remove(dstPathUnverified)
-		return fmt.Errorf("signature %q for key %q does not validate with the current release signing key; either you are under attack, or attempting to download an old version of Tailscale which was signed with an older signing key", sigURL, srcURL)
-	}
-
-	if err := os.Rename(dstPathUnverified, dstPath); err != nil {
-		return fmt.Errorf("failed to move %q to %q after signature validation", dstPathUnverified, dstPath)
-	}
-
-	return nil
-}
-
-// signingKeys fetches current signing keys from the server and validates them
-// against the roots. Should be called before validation of any downloaded file
-// to get the fresh keys.
-func (c *Client) signingKeys() ([]ed25519.PublicKey, error) {
-	keyURL := c.url("distsign.pub")
-	sigURL := keyURL + ".sig"
-	raw, err := fetch(keyURL, signingKeysSizeLimit)
-	if err != nil {
-		return nil, err
-	}
-	sig, err := fetch(sigURL, signatureSizeLimit)
-	if err != nil {
-		return nil, err
-	}
-	if !VerifyAny(c.roots, raw, sig) {
-		return nil, fmt.Errorf("signature %q for key %q does not validate with any known root key; either you are under attack, or running a very old version of Tailscale with outdated root keys", sigURL, keyURL)
-	}
-
-	keys, err := ParseSigningKeyBundle(raw)
-	if err != nil {
-		return nil, fmt.Errorf("cannot parse signing key bundle from %q: %w", keyURL, err)
-	}
-	return keys, nil
-}
-
-// fetch reads the response body from url into memory, up to limit bytes.
-func fetch(url string, limit int64) ([]byte, error) {
-	resp, err := http.Get(url)
-	if err != nil {
-		return nil, err
-	}
-	defer resp.Body.Close()
-
-	return io.ReadAll(io.LimitReader(resp.Body, limit))
-}
-
-// download writes the response body of url into a local file at dst, up to
-// limit bytes. On success, the returned value is a BLAKE2s hash of the file.
-func download(url, dst string, limit int64) ([]byte, int64, error) {
-	resp, err := http.Get(url)
-	if err != nil {
-		return nil, 0, err
-	}
-	defer resp.Body.Close()
-
-	h := NewPackageHash()
-	r := io.TeeReader(io.LimitReader(resp.Body, limit), h)
-
-	f, err := os.Create(dst)
-	if err != nil {
-		return nil, 0, err
-	}
-	defer f.Close()
-
-	if _, err := io.Copy(f, r); err != nil {
-		return nil, 0, err
-	}
-	if err := f.Close(); err != nil {
-		return nil, 0, err
-	}
-
-	return h.Sum(nil), h.Len(), nil
-}
-
-func parsePrivateKey(data []byte, typeTag string) (ed25519.PrivateKey, error) {
-	b, rest := pem.Decode(data)
-	if b == nil {
-		return nil, errors.New("failed to decode PEM data")
-	}
-	if len(rest) > 0 {
-		return nil, errors.New("trailing PEM data")
-	}
-	if b.Type != typeTag {
-		return nil, fmt.Errorf("PEM type is %q, want %q", b.Type, typeTag)
-	}
-	if len(b.Bytes) != ed25519.PrivateKeySize {
-		return nil, errors.New("private key has incorrect length for an Ed25519 private key")
-	}
-	return ed25519.PrivateKey(b.Bytes), nil
-}
-
-// ParseSigningKeyBundle parses the bundle of PEM-encoded public signing keys.
-func ParseSigningKeyBundle(bundle []byte) ([]ed25519.PublicKey, error) {
-	return parsePublicKeyBundle(bundle, pemTypeSigningPublic)
-}
-
-// ParseRootKeyBundle parses the bundle of PEM-encoded public root keys.
-func ParseRootKeyBundle(bundle []byte) ([]ed25519.PublicKey, error) {
-	return parsePublicKeyBundle(bundle, pemTypeRootPublic)
-}
-
-func parsePublicKeyBundle(bundle []byte, typeTag string) ([]ed25519.PublicKey, error) {
-	var keys []ed25519.PublicKey
-	for len(bundle) > 0 {
-		pub, rest, err := parsePublicKey(bundle, typeTag)
-		if err != nil {
-			return nil, err
-		}
-		keys = append(keys, pub)
-		bundle = rest
-	}
-	if len(keys) == 0 {
-		return nil, errors.New("no signing keys found in the bundle")
-	}
-	return keys, nil
-}
-
-func parseSinglePublicKey(data []byte, typeTag string) (ed25519.PublicKey, error) {
-	pub, rest, err := parsePublicKey(data, typeTag)
-	if err != nil {
-		return nil, err
-	}
-	if len(rest) > 0 {
-		return nil, errors.New("trailing PEM data")
-	}
-	return pub, err
-}
-
-func parsePublicKey(data []byte, typeTag string) (pub ed25519.PublicKey, rest []byte, retErr error) {
-	b, rest := pem.Decode(data)
-	if b == nil {
-		return nil, nil, errors.New("failed to decode PEM data")
-	}
-	if b.Type != typeTag {
-		return nil, nil, fmt.Errorf("PEM type is %q, want %q", b.Type, typeTag)
-	}
-	if len(b.Bytes) != ed25519.PublicKeySize {
-		return nil, nil, errors.New("public key has incorrect length for an Ed25519 public key")
-	}
-	return ed25519.PublicKey(b.Bytes), rest, nil
-}
-
-// VerifyAny verifies whether sig is valid for msg using any of the keys.
-// VerifyAny will panic if any of the keys have the wrong size for Ed25519.
-func VerifyAny(keys []ed25519.PublicKey, msg, sig []byte) bool {
-	for _, k := range keys {
-		if ed25519consensus.Verify(k, msg, sig) {
-			return true
-		}
-	}
-	return false
-}

clientupdate/distsign/distsign_test.go

@@ -1,466 +0,0 @@
-// Copyright (c) Tailscale Inc & AUTHORS
-// SPDX-License-Identifier: BSD-3-Clause
-
-package distsign
-
-import (
-	"bytes"
-	"crypto/ed25519"
-	"net/http"
-	"net/http/httptest"
-	"net/url"
-	"os"
-	"path/filepath"
-	"strings"
-	"testing"
-
-	"golang.org/x/crypto/blake2s"
-)
-
-func TestDownload(t *testing.T) {
-	srv := newTestServer(t)
-	c := srv.client(t)
-
-	tests := []struct {
-		desc    string
-		before  func(*testing.T)
-		src     string
-		want    []byte
-		wantErr bool
-	}{
-		{
-			desc:    "missing file",
-			before:  func(*testing.T) {},
-			src:     "hello",
-			wantErr: true,
-		},
-		{
-			desc: "success",
-			before: func(*testing.T) {
-				srv.addSigned("hello", []byte("world"))
-			},
-			src:  "hello",
-			want: []byte("world"),
-		},
-		{
-			desc: "no signature",
-			before: func(*testing.T) {
-				srv.add("hello", []byte("world"))
-			},
-			src:     "hello",
-			wantErr: true,
-		},
-		{
-			desc: "bad signature",
-			before: func(*testing.T) {
-				srv.add("hello", []byte("world"))
-				srv.add("hello.sig", []byte("potato"))
-			},
-			src:     "hello",
-			wantErr: true,
-		},
-		{
-			desc: "signed with untrusted key",
-			before: func(t *testing.T) {
-				srv.add("hello", []byte("world"))
-				srv.add("hello.sig", newSigningKeyPair(t).sign([]byte("world")))
-			},
-			src:     "hello",
-			wantErr: true,
-		},
-		{
-			desc: "signed with root key",
-			before: func(t *testing.T) {
-				srv.add("hello", []byte("world"))
-				srv.add("hello.sig", ed25519.Sign(srv.roots[0].k, []byte("world")))
-			},
-			src:     "hello",
-			wantErr: true,
-		},
-		{
-			desc: "bad signing key signature",
-			before: func(t *testing.T) {
-				srv.add("distsign.pub.sig", []byte("potato"))
-				srv.addSigned("hello", []byte("world"))
-			},
-			src:     "hello",
-			wantErr: true,
-		},
-	}
-
-	for _, tt := range tests {
-		t.Run(tt.desc, func(t *testing.T) {
-			srv.reset()
-			tt.before(t)
-
-			dst := filepath.Join(t.TempDir(), tt.src)
-			t.Cleanup(func() {
-				os.Remove(dst)
-			})
-			err := c.Download(tt.src, dst)
-			if err != nil {
-				if tt.wantErr {
-					return
-				}
-				t.Fatalf("unexpected error from Download(%q): %v", tt.src, err)
-			}
-			if tt.wantErr {
-				t.Fatalf("Download(%q) succeeded, expected an error", tt.src)
-			}
-			got, err := os.ReadFile(dst)
-			if err != nil {
-				t.Fatal(err)
-			}
-			if !bytes.Equal(tt.want, got) {
-				t.Errorf("Download(%q): got %q, want %q", tt.src, got, tt.want)
-			}
-		})
-	}
-}
-
-func TestRotateRoot(t *testing.T) {
-	srv := newTestServer(t)
-	c1 := srv.client(t)
-
-	srv.addSigned("hello", []byte("world"))
-	if err := c1.Download("hello", filepath.Join(t.TempDir(), "hello")); err != nil {
-		t.Fatalf("Download failed on a fresh server: %v", err)
-	}
-
-	// Remove first root and replace it with a new key.
-	srv.roots = append(srv.roots[1:], newRootKeyPair(t))
-
-	// Old client can still download files because it still trusts the old
-	// root key.
-	if err := c1.Download("hello", filepath.Join(t.TempDir(), "hello")); err != nil {
-		t.Fatalf("Download failed after root rotation on old client: %v", err)
-	}
-	// New client should fail download because current signing key is signed by
-	// the revoked root that new client doesn't trust.
-	c2 := srv.client(t)
-	if err := c2.Download("hello", filepath.Join(t.TempDir(), "hello")); err == nil {
-		t.Fatalf("Download succeeded on new client, but signing key is signed with revoked root key")
-	}
-	// Re-sign signing key with another valid root that client still trusts.
-	srv.resignSigningKeys()
-	// Both old and new clients should now be able to download.
-	//
-	// Note: we don't need to re-sign the "hello" file because signing key
-	// didn't change (only signing key's signature).
-	if err := c1.Download("hello", filepath.Join(t.TempDir(), "hello")); err != nil {
-		t.Fatalf("Download failed after root rotation on old client with re-signed signing key: %v", err)
-	}
-	if err := c2.Download("hello", filepath.Join(t.TempDir(), "hello")); err != nil {
-		t.Fatalf("Download failed after root rotation on new client with re-signed signing key: %v", err)
-	}
-}
-
-func TestRotateSigning(t *testing.T) {
-	srv := newTestServer(t)
-	c := srv.client(t)
-
-	srv.addSigned("hello", []byte("world"))
-	if err := c.Download("hello", filepath.Join(t.TempDir(), "hello")); err != nil {
-		t.Fatalf("Download failed on a fresh server: %v", err)
-	}
-
-	// Replace signing key but don't publish it yet.
-	srv.sign = append(srv.sign, newSigningKeyPair(t))
-	if err := c.Download("hello", filepath.Join(t.TempDir(), "hello")); err != nil {
-		t.Fatalf("Download failed after new signing key added but before publishing it: %v", err)
-	}
-
-	// Publish new signing key bundle with both keys.
-	srv.resignSigningKeys()
-	if err := c.Download("hello", filepath.Join(t.TempDir(), "hello")); err != nil {
-		t.Fatalf("Download failed after new signing key was published: %v", err)
-	}
-
-	// Re-sign the "hello" file with new signing key.
-	srv.add("hello.sig", srv.sign[1].sign([]byte("world")))
-	if err := c.Download("hello", filepath.Join(t.TempDir(), "hello")); err != nil {
-		t.Fatalf("Download failed after re-signing with new signing key: %v", err)
-	}
-
-	// Drop the old signing key.
-	srv.sign = srv.sign[1:]
-	srv.resignSigningKeys()
-	if err := c.Download("hello", filepath.Join(t.TempDir(), "hello")); err != nil {
-		t.Fatalf("Download failed after removing old signing key: %v", err)
-	}
-
-	// Add another key and re-sign the file with it *before* publishing.
-	srv.sign = append(srv.sign, newSigningKeyPair(t))
-	srv.add("hello.sig", srv.sign[1].sign([]byte("world")))
-	if err := c.Download("hello", filepath.Join(t.TempDir(), "hello")); err == nil {
-		t.Fatalf("Download succeeded when signed with a not-yet-published signing key")
-	}
-	// Fix this by publishing the new key.
-	srv.resignSigningKeys()
-	if err := c.Download("hello", filepath.Join(t.TempDir(), "hello")); err != nil {
-		t.Fatalf("Download failed after publishing new signing key: %v", err)
-	}
-}
-
-func TestParseRootKey(t *testing.T) {
-	tests := []struct {
-		desc     string
-		generate func() ([]byte, []byte, error)
-		wantErr  bool
-	}{
-		{
-			desc:     "valid",
-			generate: GenerateRootKey,
-		},
-		{
-			desc:     "signing",
-			generate: GenerateSigningKey,
-			wantErr:  true,
-		},
-		{
-			desc:     "nil",
-			generate: func() ([]byte, []byte, error) { return nil, nil, nil },
-			wantErr:  true,
-		},
-		{
-			desc: "invalid PEM tag",
-			generate: func() ([]byte, []byte, error) {
-				priv, pub, err := GenerateRootKey()
-				priv = bytes.Replace(priv, []byte("ROOT "), nil, -1)
-				return priv, pub, err
-			},
-			wantErr: true,
-		},
-		{
-			desc:     "not PEM",
-			generate: func() ([]byte, []byte, error) { return []byte("s3cr3t"), nil, nil },
-			wantErr:  true,
-		},
-	}
-	for _, tt := range tests {
-		t.Run(tt.desc, func(t *testing.T) {
-			priv, _, err := tt.generate()
-			if err != nil {
-				t.Fatal(err)
-			}
-			r, err := ParseRootKey(priv)
-			if err != nil {
-				if tt.wantErr {
-					return
-				}
-				t.Fatalf("unexpected error: %v", err)
-			}
-			if tt.wantErr {
-				t.Fatal("expected non-nil error")
-			}
-			if r == nil {
-				t.Errorf("got nil error and nil RootKey")
-			}
-		})
-	}
-}
-
-func TestParseSigningKey(t *testing.T) {
-	tests := []struct {
-		desc     string
-		generate func() ([]byte, []byte, error)
-		wantErr  bool
-	}{
-		{
-			desc:     "valid",
-			generate: GenerateSigningKey,
-		},
-		{
-			desc:     "root",
-			generate: GenerateRootKey,
-			wantErr:  true,
-		},
-		{
-			desc:     "nil",
-			generate: func() ([]byte, []byte, error) { return nil, nil, nil },
-			wantErr:  true,
-		},
-		{
-			desc: "invalid PEM tag",
-			generate: func() ([]byte, []byte, error) {
-				priv, pub, err := GenerateSigningKey()
-				priv = bytes.Replace(priv, []byte("SIGNING "), nil, -1)
-				return priv, pub, err
-			},
-			wantErr: true,
-		},
-		{
-			desc:     "not PEM",
-			generate: func() ([]byte, []byte, error) { return []byte("s3cr3t"), nil, nil },
-			wantErr:  true,
-		},
-	}
-	for _, tt := range tests {
-		t.Run(tt.desc, func(t *testing.T) {
-			priv, _, err := tt.generate()
-			if err != nil {
-				t.Fatal(err)
-			}
-			r, err := ParseSigningKey(priv)
-			if err != nil {
-				if tt.wantErr {
-					return
-				}
-				t.Fatalf("unexpected error: %v", err)
-			}
-			if tt.wantErr {
-				t.Fatal("expected non-nil error")
-			}
-			if r == nil {
-				t.Errorf("got nil error and nil SigningKey")
-			}
-		})
-	}
-}
-
-type testServer struct {
-	roots []rootKeyPair
-	sign  []signingKeyPair
-	files map[string][]byte
-	srv   *httptest.Server
-}
-
-func newTestServer(t *testing.T) *testServer {
-	var roots []rootKeyPair
-	for i := 0; i < 3; i++ {
-		roots = append(roots, newRootKeyPair(t))
-	}
-
-	ts := &testServer{
-		roots: roots,
-		sign:  []signingKeyPair{newSigningKeyPair(t)},
-	}
-	ts.reset()
-	ts.srv = httptest.NewServer(ts)
-	t.Cleanup(ts.srv.Close)
-	return ts
-}
-
-func (s *testServer) client(t *testing.T) *Client {
-	roots := make([]ed25519.PublicKey, 0, len(s.roots))
-	for _, r := range s.roots {
-		pub, err := parseSinglePublicKey(r.pubRaw, pemTypeRootPublic)
-		if err != nil {
-			t.Fatalf("parsePublicKey: %v", err)
-		}
-		roots = append(roots, pub)
-	}
-	u, err := url.Parse(s.srv.URL)
-	if err != nil {
-		t.Fatal(err)
-	}
-	return &Client{
-		roots:    roots,
-		pkgsAddr: u,
-	}
-}
-
-func (s *testServer) ServeHTTP(w http.ResponseWriter, r *http.Request) {
-	path := strings.TrimPrefix(r.URL.Path, "/")
-	data, ok := s.files[path]
-	if !ok {
-		http.NotFound(w, r)
-		return
-	}
-	w.Write(data)
-}
-
-func (s *testServer) addSigned(name string, data []byte) {
-	s.files[name] = data
-	s.files[name+".sig"] = s.sign[0].sign(data)
-}
-
-func (s *testServer) add(name string, data []byte) {
-	s.files[name] = data
-}
-
-func (s *testServer) reset() {
-	s.files = make(map[string][]byte)
-	s.resignSigningKeys()
-}
-
-func (s *testServer) resignSigningKeys() {
-	var pubs [][]byte
-	for _, k := range s.sign {
-		pubs = append(pubs, k.pubRaw)
-	}
-	bundle := bytes.Join(pubs, []byte("\n"))
-	sig := s.roots[0].sign(bundle)
-	s.files["distsign.pub"] = bundle
-	s.files["distsign.pub.sig"] = sig
-}
-
-type rootKeyPair struct {
-	*RootKey
-	keyPair
-}
-
-func newRootKeyPair(t *testing.T) rootKeyPair {
-	privRaw, pubRaw, err := GenerateRootKey()
-	if err != nil {
-		t.Fatalf("GenerateRootKey: %v", err)
-	}
-	kp := keyPair{
-		privRaw: privRaw,
-		pubRaw:  pubRaw,
-	}
-	priv, err := parsePrivateKey(kp.privRaw, pemTypeRootPrivate)
-	if err != nil {
-		t.Fatalf("parsePrivateKey: %v", err)
-	}
-	return rootKeyPair{
-		RootKey: &RootKey{k: priv},
-		keyPair: kp,
-	}
-}
-
-func (s rootKeyPair) sign(bundle []byte) []byte {
-	sig, err := s.SignSigningKeys(bundle)
-	if err != nil {
-		panic(err)
-	}
-	return sig
-}
-
-type signingKeyPair struct {
-	*SigningKey
-	keyPair
-}
-
-func newSigningKeyPair(t *testing.T) signingKeyPair {
-	privRaw, pubRaw, err := GenerateSigningKey()
-	if err != nil {
-		t.Fatalf("GenerateSigningKey: %v", err)
-	}
-	kp := keyPair{
-		privRaw: privRaw,
-		pubRaw:  pubRaw,
-	}
-	priv, err := parsePrivateKey(kp.privRaw, pemTypeSigningPrivate)
-	if err != nil {
-		t.Fatalf("parsePrivateKey: %v", err)
-	}
-	return signingKeyPair{
-		SigningKey: &SigningKey{k: priv},
-		keyPair:    kp,
-	}
-}
-
-func (s signingKeyPair) sign(blob []byte) []byte {
-	hash := blake2s.Sum256(blob)
-	sig, err := s.SignPackageHash(hash[:], int64(len(blob)))
-	if err != nil {
-		panic(err)
-	}
-	return sig
-}
-
-type keyPair struct {
-	privRaw []byte
-	pubRaw  []byte
-}

clientupdate/distsign/roots.go

@@ -1,54 +0,0 @@
-// Copyright (c) Tailscale Inc & AUTHORS
-// SPDX-License-Identifier: BSD-3-Clause
-
-package distsign
-
-import (
-	"crypto/ed25519"
-	"embed"
-	"errors"
-	"fmt"
-	"path"
-	"path/filepath"
-	"sync"
-)
-
-//go:embed roots
-var rootsFS embed.FS
-
-var roots = sync.OnceValue(func() []ed25519.PublicKey {
-	roots, err := parseRoots()
-	if err != nil {
-		panic(err)
-	}
-	return roots
-})
-
-func parseRoots() ([]ed25519.PublicKey, error) {
-	files, err := rootsFS.ReadDir("roots")
-	if err != nil {
-		return nil, err
-	}
-	var keys []ed25519.PublicKey
-	for _, f := range files {
-		if !f.Type().IsRegular() {
-			continue
-		}
-		if filepath.Ext(f.Name()) != ".pem" {
-			continue
-		}
-		raw, err := rootsFS.ReadFile(path.Join("roots", f.Name()))
-		if err != nil {
-			return nil, err
-		}
-		key, err := parseSinglePublicKey(raw, pemTypeRootPublic)
-		if err != nil {
-			return nil, fmt.Errorf("parsing root key %q: %w", f.Name(), err)
-		}
-		keys = append(keys, key)
-	}
-	if len(keys) == 0 {
-		return nil, errors.New("no embedded root keys, please check clientupdate/distsign/roots/")
-	}
-	return keys, nil
-}

clientupdate/distsign/roots/distsign-dev-root-pub.pem

@@ -1,3 +0,0 @@
------BEGIN ROOT PUBLIC KEY-----
-Muw5GkO5mASsJ7k6kS+svfuanr6XcW9I7fPGtyqOTeI=
------END ROOT PUBLIC KEY-----

clientupdate/distsign/roots_test.go

@@ -1,16 +0,0 @@
-// Copyright (c) Tailscale Inc & AUTHORS
-// SPDX-License-Identifier: BSD-3-Clause
-
-package distsign
-
-import "testing"
-
-func TestParseRoots(t *testing.T) {
-	roots, err := parseRoots()
-	if err != nil {
-		t.Fatal(err)
-	}
-	if len(roots) == 0 {
-		t.Error("parseRoots returned no root keys")
-	}
-}

cmd/addlicense/main.go

@@ -1,73 +0,0 @@
-// Copyright (c) Tailscale Inc & AUTHORS
-// SPDX-License-Identifier: BSD-3-Clause
-
-// Program addlicense adds a license header to a file.
-// It is intended for use with 'go generate',
-// so it has a slightly weird usage.
-package main
-
-import (
-	"flag"
-	"fmt"
-	"os"
-	"os/exec"
-)
-
-var (
-	file = flag.String("file", "", "file to modify")
-)
-
-func usage() {
-	fmt.Fprintf(os.Stderr, `
-usage: addlicense -file FILE <subcommand args...>
-`[1:])
-
-	flag.PrintDefaults()
-	fmt.Fprintf(os.Stderr, `
-addlicense adds a Tailscale license to the beginning of file.
-
-It is intended for use with 'go generate', so it also runs a subcommand,
-which presumably creates the file.
-
-Sample usage:
-
-addlicense -file pull_strings.go stringer -type=pull
-`[1:])
-	os.Exit(2)
-}
-
-func main() {
-	flag.Usage = usage
-	flag.Parse()
-	if len(flag.Args()) == 0 {
-		flag.Usage()
-	}
-	cmd := exec.Command(flag.Arg(0), flag.Args()[1:]...)
-	cmd.Stdout = os.Stdout
-	cmd.Stderr = os.Stderr
-	err := cmd.Run()
-	check(err)
-	b, err := os.ReadFile(*file)
-	check(err)
-	f, err := os.OpenFile(*file, os.O_TRUNC|os.O_WRONLY, 0644)
-	check(err)
-	_, err = fmt.Fprint(f, license)
-	check(err)
-	_, err = f.Write(b)
-	check(err)
-	err = f.Close()
-	check(err)
-}
-
-func check(err error) {
-	if err != nil {
-		fmt.Fprintln(os.Stderr, err)
-		os.Exit(1)
-	}
-}
-
-var license = `
-// Copyright (c) Tailscale Inc & AUTHORS
-// SPDX-License-Identifier: BSD-3-Clause
-
-`[1:]

cmd/cloner/cloner.go

@@ -1,5 +1,6 @@
-// Copyright (c) Tailscale Inc & AUTHORS
-// SPDX-License-Identifier: BSD-3-Clause
+// Copyright (c) 2020 Tailscale Inc & AUTHORS All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
 
 // Cloner is a tool to automate the creation of a Clone method.
 //
@@ -16,18 +17,22 @@ import (
 	"bytes"
 	"flag"
 	"fmt"
+	"go/ast"
+	"go/format"
+	"go/token"
 	"go/types"
+	"io/ioutil"
 	"log"
 	"os"
 	"strings"
 
-	"tailscale.com/util/codegen"
+	"golang.org/x/tools/go/packages"
 )
 
 var (
 	flagTypes     = flag.String("type", "", "comma-separated list of types; required")
+	flagOutput    = flag.String("output", "", "output file; required")
 	flagBuildTags = flag.String("tags", "", "compiler build tags to apply")
-	flagCloneFunc = flag.Bool("clonefunc", false, "add a top-level Clone func")
 )
 
 func main() {
@@ -40,157 +45,184 @@ func main() {
 	}
 	typeNames := strings.Split(*flagTypes, ",")
 
-	pkg, namedTypes, err := codegen.LoadTypes(*flagBuildTags, ".")
+	cfg := &packages.Config{
+		Mode:  packages.NeedTypes | packages.NeedTypesInfo | packages.NeedSyntax | packages.NeedName,
+		Tests: false,
+	}
+	if *flagBuildTags != "" {
+		cfg.BuildFlags = []string{"-tags=" + *flagBuildTags}
+	}
+	pkgs, err := packages.Load(cfg, ".")
 	if err != nil {
 		log.Fatal(err)
 	}
-	it := codegen.NewImportTracker(pkg.Types)
+	if len(pkgs) != 1 {
+		log.Fatalf("wrong number of packages: %d", len(pkgs))
+	}
+	pkg := pkgs[0]
 	buf := new(bytes.Buffer)
+	imports := make(map[string]struct{})
 	for _, typeName := range typeNames {
-		typ, ok := namedTypes[typeName]
-		if !ok {
+		found := false
+		for _, file := range pkg.Syntax {
+			//var fbuf bytes.Buffer
+			//ast.Fprint(&fbuf, pkg.Fset, file, nil)
+			//fmt.Println(fbuf.String())
+
+			for _, d := range file.Decls {
+				decl, ok := d.(*ast.GenDecl)
+				if !ok || decl.Tok != token.TYPE {
+					continue
+				}
+				for _, s := range decl.Specs {
+					spec, ok := s.(*ast.TypeSpec)
+					if !ok || spec.Name.Name != typeName {
+						continue
+					}
+					typeNameObj := pkg.TypesInfo.Defs[spec.Name]
+					typ, ok := typeNameObj.Type().(*types.Named)
+					if !ok {
+						continue
+					}
+					pkg := typeNameObj.Pkg()
+					gen(buf, imports, typeName, typ, pkg)
+				}
+				found = true
+			}
+		}
+		if !found {
 			log.Fatalf("could not find type %s", typeName)
 		}
-		gen(buf, it, typ)
 	}
 
-	w := func(format string, args ...any) {
-		fmt.Fprintf(buf, format+"\n", args...)
+	contents := new(bytes.Buffer)
+	fmt.Fprintf(contents, header, *flagTypes, pkg.Name)
+	fmt.Fprintf(contents, "import (\n")
+	for s := range imports {
+		fmt.Fprintf(contents, "\t%q\n", s)
 	}
-	if *flagCloneFunc {
-		w("// Clone duplicates src into dst and reports whether it succeeded.")
-		w("// To succeed, <src, dst> must be of types <*T, *T> or <*T, **T>,")
-		w("// where T is one of %s.", *flagTypes)
-		w("func Clone(dst, src any) bool {")
-		w("	switch src := src.(type) {")
-		for _, typeName := range typeNames {
-			w("	case *%s:", typeName)
-			w("		switch dst := dst.(type) {")
-			w("		case *%s:", typeName)
-			w("			*dst = *src.Clone()")
-			w("			return true")
-			w("		case **%s:", typeName)
-			w("			*dst = src.Clone()")
-			w("			return true")
-			w("		}")
-		}
-		w("	}")
-		w("	return false")
-		w("}")
+	fmt.Fprintf(contents, ")\n\n")
+	contents.Write(buf.Bytes())
+
+	out, err := format.Source(contents.Bytes())
+	if err != nil {
+		log.Fatalf("%s, in source:\n%s", err, contents.Bytes())
 	}
-	cloneOutput := pkg.Name + "_clone.go"
-	if err := codegen.WritePackageFile("tailscale.com/cmd/cloner", pkg, cloneOutput, it, buf); err != nil {
+
+	output := *flagOutput
+	if output == "" {
+		flag.Usage()
+		os.Exit(2)
+	}
+	if err := ioutil.WriteFile(output, out, 0666); err != nil {
 		log.Fatal(err)
 	}
 }
 
-func gen(buf *bytes.Buffer, it *codegen.ImportTracker, typ *types.Named) {
-	t, ok := typ.Underlying().(*types.Struct)
-	if !ok {
-		return
+const header = `// Copyright (c) 2020 Tailscale Inc & AUTHORS All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+// Code generated by tailscale.com/cmd/cloner -type %s; DO NOT EDIT.
+
+package %s
+
+`
+
+func gen(buf *bytes.Buffer, imports map[string]struct{}, name string, typ *types.Named, thisPkg *types.Package) {
+	pkgQual := func(pkg *types.Package) string {
+		if thisPkg == pkg {
+			return ""
+		}
+		imports[pkg.Path()] = struct{}{}
+		return pkg.Name()
+	}
+	importedName := func(t types.Type) string {
+		return types.TypeString(t, pkgQual)
 	}
 
-	name := typ.Obj().Name()
-	fmt.Fprintf(buf, "// Clone makes a deep copy of %s.\n", name)
-	fmt.Fprintf(buf, "// The result aliases no memory with the original.\n")
-	fmt.Fprintf(buf, "func (src *%s) Clone() *%s {\n", name, name)
-	writef := func(format string, args ...any) {
-		fmt.Fprintf(buf, "\t"+format+"\n", args...)
-	}
-	writef("if src == nil {")
-	writef("\treturn nil")
-	writef("}")
-	writef("dst := new(%s)", name)
-	writef("*dst = *src")
-	for i := 0; i < t.NumFields(); i++ {
-		fname := t.Field(i).Name()
-		ft := t.Field(i).Type()
-		if !codegen.ContainsPointers(ft) || codegen.HasNoClone(t.Tag(i)) {
-			continue
+	switch t := typ.Underlying().(type) {
+	case *types.Struct:
+		_ = t
+		name := typ.Obj().Name()
+		fmt.Fprintf(buf, "// Clone makes a deep copy of %s.\n", name)
+		fmt.Fprintf(buf, "// The result aliases no memory with the original.\n")
+		fmt.Fprintf(buf, "func (src *%s) Clone() *%s {\n", name, name)
+		writef := func(format string, args ...interface{}) {
+			fmt.Fprintf(buf, "\t"+format+"\n", args...)
 		}
-		if named, _ := ft.(*types.Named); named != nil {
-			if codegen.IsViewType(ft) {
-				writef("dst.%s = src.%s", fname, fname)
+		writef("if src == nil {")
+		writef("\treturn nil")
+		writef("}")
+		writef("dst := new(%s)", name)
+		writef("*dst = *src")
+		for i := 0; i < t.NumFields(); i++ {
+			fname := t.Field(i).Name()
+			ft := t.Field(i).Type()
+			if !containsPointers(ft) {
 				continue
 			}
-			if !hasBasicUnderlying(ft) {
+			if named, _ := ft.(*types.Named); named != nil && !hasBasicUnderlying(ft) {
 				writef("dst.%s = *src.%s.Clone()", fname, fname)
 				continue
 			}
-		}
-		switch ft := ft.Underlying().(type) {
-		case *types.Slice:
-			if codegen.ContainsPointers(ft.Elem()) {
-				n := it.QualifiedName(ft.Elem())
-				writef("dst.%s = make([]%s, len(src.%s))", fname, n, fname)
-				writef("for i := range dst.%s {", fname)
-				if ptr, isPtr := ft.Elem().(*types.Pointer); isPtr {
-					if _, isBasic := ptr.Elem().Underlying().(*types.Basic); isBasic {
-						it.Import("tailscale.com/types/ptr")
-						writef("\tdst.%s[i] = ptr.To(*src.%s[i])", fname, fname)
-					} else {
+			switch ft := ft.Underlying().(type) {
+			case *types.Slice:
+				if containsPointers(ft.Elem()) {
+					n := importedName(ft.Elem())
+					writef("dst.%s = make([]%s, len(src.%s))", fname, n, fname)
+					writef("for i := range dst.%s {", fname)
+					if _, isPtr := ft.Elem().(*types.Pointer); isPtr {
 						writef("\tdst.%s[i] = src.%s[i].Clone()", fname, fname)
+					} else {
+						writef("\tdst.%s[i] = *src.%s[i].Clone()", fname, fname)
 					}
-				} else if ft.Elem().String() == "encoding/json.RawMessage" {
-					writef("\tdst.%s[i] = append(src.%s[i][:0:0], src.%s[i]...)", fname, fname, fname)
+					writef("}")
 				} else {
-					writef("\tdst.%s[i] = *src.%s[i].Clone()", fname, fname)
+					writef("dst.%s = append(src.%s[:0:0], src.%s...)", fname, fname, fname)
+				}
+			case *types.Pointer:
+				if named, _ := ft.Elem().(*types.Named); named != nil && containsPointers(ft.Elem()) {
+					writef("dst.%s = src.%s.Clone()", fname, fname)
+					continue
+				}
+				n := importedName(ft.Elem())
+				writef("if dst.%s != nil {", fname)
+				writef("\tdst.%s = new(%s)", fname, n)
+				writef("\t*dst.%s = *src.%s", fname, fname)
+				if containsPointers(ft.Elem()) {
+					writef("\t" + `panic("TODO pointers in pointers")`)
 				}
 				writef("}")
-			} else {
-				writef("dst.%s = append(src.%s[:0:0], src.%s...)", fname, fname, fname)
-			}
-		case *types.Pointer:
-			if named, _ := ft.Elem().(*types.Named); named != nil && codegen.ContainsPointers(ft.Elem()) {
-				writef("dst.%s = src.%s.Clone()", fname, fname)
-				continue
-			}
-			it.Import("tailscale.com/types/ptr")
-			writef("if dst.%s != nil {", fname)
-			writef("\tdst.%s = ptr.To(*src.%s)", fname, fname)
-			if codegen.ContainsPointers(ft.Elem()) {
-				writef("\t" + `panic("TODO pointers in pointers")`)
-			}
-			writef("}")
-		case *types.Map:
-			elem := ft.Elem()
-			if sliceType, isSlice := elem.(*types.Slice); isSlice {
-				n := it.QualifiedName(sliceType.Elem())
+			case *types.Map:
 				writef("if dst.%s != nil {", fname)
-				writef("\tdst.%s = map[%s]%s{}", fname, it.QualifiedName(ft.Key()), it.QualifiedName(elem))
-				writef("\tfor k := range src.%s {", fname)
-				// use zero-length slice instead of nil to ensure
-				// the key is always copied.
-				writef("\t\tdst.%s[k] = append([]%s{}, src.%s[k]...)", fname, n, fname)
-				writef("\t}")
-				writef("}")
-			} else if codegen.ContainsPointers(elem) {
-				writef("if dst.%s != nil {", fname)
-				writef("\tdst.%s = map[%s]%s{}", fname, it.QualifiedName(ft.Key()), it.QualifiedName(elem))
-				writef("\tfor k, v := range src.%s {", fname)
-				switch elem.(type) {
-				case *types.Pointer:
-					writef("\t\tdst.%s[k] = v.Clone()", fname)
-				default:
-					writef("\t\tdst.%s[k] = *(v.Clone())", fname)
+				writef("\tdst.%s = map[%s]%s{}", fname, importedName(ft.Key()), importedName(ft.Elem()))
+				if sliceType, isSlice := ft.Elem().(*types.Slice); isSlice {
+					n := importedName(sliceType.Elem())
+					writef("\tfor k := range src.%s {", fname)
+					// use zero-length slice instead of nil to ensure
+					// the key is always copied.
+					writef("\t\tdst.%s[k] = append([]%s{}, src.%s[k]...)", fname, n, fname)
+					writef("\t}")
+				} else if containsPointers(ft.Elem()) {
+					writef("\t\t" + `panic("TODO map value pointers")`)
+				} else {
+					writef("\tfor k, v := range src.%s {", fname)
+					writef("\t\tdst.%s[k] = v", fname)
+					writef("\t}")
 				}
-				writef("\t}")
 				writef("}")
-			} else {
-				it.Import("maps")
-				writef("\tdst.%s = maps.Clone(src.%s)", fname, fname)
+			case *types.Struct:
+				writef(`panic("TODO struct %s")`, fname)
+			default:
+				writef(`panic(fmt.Sprintf("TODO: %T", ft))`)
 			}
-		default:
-			writef(`panic("TODO: %s (%T)")`, fname, ft)
 		}
+		writef("return dst")
+		fmt.Fprintf(buf, "}\n\n")
 	}
-	writef("return dst")
-	fmt.Fprintf(buf, "}\n\n")
-
-	buf.Write(codegen.AssertStructUnchanged(t, name, "Clone", it))
 }
 
-// hasBasicUnderlying reports true when typ.Underlying() is a slice or a map.
 func hasBasicUnderlying(typ types.Type) bool {
 	switch typ.Underlying().(type) {
 	case *types.Slice, *types.Map:
@@ -199,3 +231,34 @@ func hasBasicUnderlying(typ types.Type) bool {
 		return false
 	}
 }
+
+func containsPointers(typ types.Type) bool {
+	switch typ.String() {
+	case "time.Time":
+		// time.Time contains a pointer that does not need copying
+		return false
+	case "inet.af/netaddr.IP":
+		return false
+	}
+	switch ft := typ.Underlying().(type) {
+	case *types.Array:
+		return containsPointers(ft.Elem())
+	case *types.Chan:
+		return true
+	case *types.Interface:
+		return true // a little too broad
+	case *types.Map:
+		return true
+	case *types.Pointer:
+		return true
+	case *types.Slice:
+		return true
+	case *types.Struct:
+		for i := 0; i < ft.NumFields(); i++ {
+			if containsPointers(ft.Field(i).Type()) {
+				return true
+			}
+		}
+	}
+	return false
+}

cmd/containerboot/kube.go

@@ -1,97 +0,0 @@
-// Copyright (c) Tailscale Inc & AUTHORS
-// SPDX-License-Identifier: BSD-3-Clause
-
-//go:build linux
-
-package main
-
-import (
-	"context"
-	"fmt"
-	"log"
-	"net/http"
-	"os"
-
-	"tailscale.com/kube"
-	"tailscale.com/tailcfg"
-)
-
-// findKeyInKubeSecret inspects the kube secret secretName for a data
-// field called "authkey", and returns its value if present.
-func findKeyInKubeSecret(ctx context.Context, secretName string) (string, error) {
-	s, err := kc.GetSecret(ctx, secretName)
-	if err != nil {
-		return "", err
-	}
-	ak, ok := s.Data["authkey"]
-	if !ok {
-		return "", nil
-	}
-	return string(ak), nil
-}
-
-// storeDeviceInfo writes deviceID into the "device_id" data field of the kube
-// secret secretName.
-func storeDeviceInfo(ctx context.Context, secretName string, deviceID tailcfg.StableNodeID, fqdn string) error {
-	// First check if the secret exists at all. Even if running on
-	// kubernetes, we do not necessarily store state in a k8s secret.
-	if _, err := kc.GetSecret(ctx, secretName); err != nil {
-		if s, ok := err.(*kube.Status); ok {
-			if s.Code >= 400 && s.Code <= 499 {
-				// Assume the secret doesn't exist, or we don't have
-				// permission to access it.
-				return nil
-			}
-		}
-		return err
-	}
-
-	m := &kube.Secret{
-		Data: map[string][]byte{
-			"device_id":   []byte(deviceID),
-			"device_fqdn": []byte(fqdn),
-		},
-	}
-	return kc.StrategicMergePatchSecret(ctx, secretName, m, "tailscale-container")
-}
-
-// deleteAuthKey deletes the 'authkey' field of the given kube
-// secret. No-op if there is no authkey in the secret.
-func deleteAuthKey(ctx context.Context, secretName string) error {
-	// m is a JSON Patch data structure, see https://jsonpatch.com/ or RFC 6902.
-	m := []kube.JSONPatch{
-		{
-			Op:   "remove",
-			Path: "/data/authkey",
-		},
-	}
-	if err := kc.JSONPatchSecret(ctx, secretName, m); err != nil {
-		if s, ok := err.(*kube.Status); ok && s.Code == http.StatusUnprocessableEntity {
-			// This is kubernetes-ese for "the field you asked to
-			// delete already doesn't exist", aka no-op.
-			return nil
-		}
-		return err
-	}
-	return nil
-}
-
-var kc *kube.Client
-
-func initKube(root string) {
-	if root != "/" {
-		// If we are running in a test, we need to set the root path to the fake
-		// service account directory.
-		kube.SetRootPathForTesting(root)
-	}
-	var err error
-	kc, err = kube.New()
-	if err != nil {
-		log.Fatalf("Error creating kube client: %v", err)
-	}
-	if root != "/" {
-		// If we are running in a test, we need to set the URL to the
-		// httptest server.
-		kc.SetURL(fmt.Sprintf("https://%s:%s", os.Getenv("KUBERNETES_SERVICE_HOST"), os.Getenv("KUBERNETES_SERVICE_PORT_HTTPS")))
-	}
-}

cmd/containerboot/main.go

@@ -1,714 +0,0 @@
-// Copyright (c) Tailscale Inc & AUTHORS
-// SPDX-License-Identifier: BSD-3-Clause
-
-//go:build linux
-
-// The containerboot binary is a wrapper for starting tailscaled in a container.
-// It handles reading the desired mode of operation out of environment
-// variables, bringing up and authenticating Tailscale, and any other
-// kubernetes-specific side jobs.
-//
-// As with most container things, configuration is passed through environment
-// variables. All configuration is optional.
-//
-//   - TS_AUTHKEY: the authkey to use for login.
-//   - TS_HOSTNAME: the hostname to request for the node.
-//   - TS_ROUTES: subnet routes to advertise.
-//   - TS_DEST_IP: proxy all incoming Tailscale traffic to the given
-//     destination.
-//   - TS_TAILSCALED_EXTRA_ARGS: extra arguments to 'tailscaled'.
-//   - TS_EXTRA_ARGS: extra arguments to 'tailscale login', these are not
-//     reset on restart.
-//   - TS_USERSPACE: run with userspace networking (the default)
-//     instead of kernel networking.
-//   - TS_STATE_DIR: the directory in which to store tailscaled
-//     state. The data should persist across container
-//     restarts.
-//   - TS_ACCEPT_DNS: whether to use the tailnet's DNS configuration.
-//   - TS_KUBE_SECRET: the name of the Kubernetes secret in which to
-//     store tailscaled state.
-//   - TS_SOCKS5_SERVER: the address on which to listen for SOCKS5
-//     proxying into the tailnet.
-//   - TS_OUTBOUND_HTTP_PROXY_LISTEN: the address on which to listen
-//     for HTTP proxying into the tailnet.
-//   - TS_SOCKET: the path where the tailscaled LocalAPI socket should
-//     be created.
-//   - TS_AUTH_ONCE: if true, only attempt to log in if not already
-//     logged in. If false (the default, for backwards
-//     compatibility), forcibly log in every time the
-//     container starts.
-//   - TS_SERVE_CONFIG: if specified, is the file path where the ipn.ServeConfig is located.
-//     It will be applied once tailscaled is up and running. If the file contains
-//     ${TS_CERT_DOMAIN}, it will be replaced with the value of the available FQDN.
-//     It cannot be used in conjunction with TS_DEST_IP. The file is watched for changes,
-//     and will be re-applied when it changes.
-//
-// When running on Kubernetes, containerboot defaults to storing state in the
-// "tailscale" kube secret. To store state on local disk instead, set
-// TS_KUBE_SECRET="" and TS_STATE_DIR=/path/to/storage/dir. The state dir should
-// be persistent storage.
-//
-// Additionally, if TS_AUTHKEY is not set and the TS_KUBE_SECRET contains an
-// "authkey" field, that key is used as the tailscale authkey.
-package main
-
-import (
-	"bytes"
-	"context"
-	"encoding/json"
-	"errors"
-	"fmt"
-	"io/fs"
-	"log"
-	"net/netip"
-	"os"
-	"os/exec"
-	"os/signal"
-	"path/filepath"
-	"reflect"
-	"strconv"
-	"strings"
-	"sync/atomic"
-	"syscall"
-	"time"
-
-	"github.com/fsnotify/fsnotify"
-	"golang.org/x/sys/unix"
-	"tailscale.com/client/tailscale"
-	"tailscale.com/ipn"
-	"tailscale.com/types/ptr"
-	"tailscale.com/util/deephash"
-)
-
-func main() {
-	log.SetPrefix("boot: ")
-	tailscale.I_Acknowledge_This_API_Is_Unstable = true
-
-	cfg := &settings{
-		AuthKey:         defaultEnvs([]string{"TS_AUTHKEY", "TS_AUTH_KEY"}, ""),
-		Hostname:        defaultEnv("TS_HOSTNAME", ""),
-		Routes:          defaultEnv("TS_ROUTES", ""),
-		ProxyTo:         defaultEnv("TS_DEST_IP", ""),
-		ServeConfigPath: defaultEnv("TS_SERVE_CONFIG", ""),
-		DaemonExtraArgs: defaultEnv("TS_TAILSCALED_EXTRA_ARGS", ""),
-		ExtraArgs:       defaultEnv("TS_EXTRA_ARGS", ""),
-		InKubernetes:    os.Getenv("KUBERNETES_SERVICE_HOST") != "",
-		UserspaceMode:   defaultBool("TS_USERSPACE", true),
-		StateDir:        defaultEnv("TS_STATE_DIR", ""),
-		AcceptDNS:       defaultBool("TS_ACCEPT_DNS", false),
-		KubeSecret:      defaultEnv("TS_KUBE_SECRET", "tailscale"),
-		SOCKSProxyAddr:  defaultEnv("TS_SOCKS5_SERVER", ""),
-		HTTPProxyAddr:   defaultEnv("TS_OUTBOUND_HTTP_PROXY_LISTEN", ""),
-		Socket:          defaultEnv("TS_SOCKET", "/tmp/tailscaled.sock"),
-		AuthOnce:        defaultBool("TS_AUTH_ONCE", false),
-		Root:            defaultEnv("TS_TEST_ONLY_ROOT", "/"),
-	}
-
-	if cfg.ProxyTo != "" && cfg.UserspaceMode {
-		log.Fatal("TS_DEST_IP is not supported with TS_USERSPACE")
-	}
-	if cfg.ProxyTo != "" && cfg.ServeConfigPath != "" {
-		log.Fatal("TS_DEST_IP is not supported with TS_SERVE_CONFIG")
-	}
-
-	if !cfg.UserspaceMode {
-		if err := ensureTunFile(cfg.Root); err != nil {
-			log.Fatalf("Unable to create tuntap device file: %v", err)
-		}
-		if cfg.ProxyTo != "" || cfg.Routes != "" {
-			if err := ensureIPForwarding(cfg.Root, cfg.ProxyTo, cfg.Routes); err != nil {
-				log.Printf("Failed to enable IP forwarding: %v", err)
-				log.Printf("To run tailscale as a proxy or router container, IP forwarding must be enabled.")
-				if cfg.InKubernetes {
-					log.Fatalf("You can either set the sysctls as a privileged initContainer, or run the tailscale container with privileged=true.")
-				} else {
-					log.Fatalf("You can fix this by running the container with privileged=true, or the equivalent in your container runtime that permits access to sysctls.")
-				}
-			}
-		}
-	}
-
-	if cfg.InKubernetes {
-		initKube(cfg.Root)
-	}
-
-	// Context is used for all setup stuff until we're in steady
-	// state, so that if something is hanging we eventually time out
-	// and crashloop the container.
-	bootCtx, cancel := context.WithTimeout(context.Background(), 60*time.Second)
-	defer cancel()
-
-	if cfg.InKubernetes && cfg.KubeSecret != "" {
-		canPatch, err := kc.CheckSecretPermissions(bootCtx, cfg.KubeSecret)
-		if err != nil {
-			log.Fatalf("Some Kubernetes permissions are missing, please check your RBAC configuration: %v", err)
-		}
-		cfg.KubernetesCanPatch = canPatch
-
-		if cfg.AuthKey == "" {
-			key, err := findKeyInKubeSecret(bootCtx, cfg.KubeSecret)
-			if err != nil {
-				log.Fatalf("Getting authkey from kube secret: %v", err)
-			}
-			if key != "" {
-				// This behavior of pulling authkeys from kube secrets was added
-				// at the same time as the patch permission, so we can enforce
-				// that we must be able to patch out the authkey after
-				// authenticating if you want to use this feature. This avoids
-				// us having to deal with the case where we might leave behind
-				// an unnecessary reusable authkey in a secret, like a rake in
-				// the grass.
-				if !cfg.KubernetesCanPatch {
-					log.Fatalf("authkey found in TS_KUBE_SECRET, but the pod doesn't have patch permissions on the secret to manage the authkey.")
-				}
-				log.Print("Using authkey found in kube secret")
-				cfg.AuthKey = key
-			} else {
-				log.Print("No authkey found in kube secret and TS_AUTHKEY not provided, login will be interactive if needed.")
-			}
-		}
-	}
-
-	client, daemonPid, err := startTailscaled(bootCtx, cfg)
-	if err != nil {
-		log.Fatalf("failed to bring up tailscale: %v", err)
-	}
-
-	w, err := client.WatchIPNBus(bootCtx, ipn.NotifyInitialNetMap|ipn.NotifyInitialPrefs|ipn.NotifyInitialState)
-	if err != nil {
-		log.Fatalf("failed to watch tailscaled for updates: %v", err)
-	}
-
-	// Because we're still shelling out to `tailscale up` to get access to its
-	// flag parser, we have to stop watching the IPN bus so that we can block on
-	// the subcommand without stalling anything. Then once it's done, we resume
-	// watching the bus.
-	//
-	// Depending on the requested mode of operation, this auth step happens at
-	// different points in containerboot's lifecycle, hence the helper function.
-	didLogin := false
-	authTailscale := func() error {
-		if didLogin {
-			return nil
-		}
-		didLogin = true
-		w.Close()
-		if err := tailscaleLogin(bootCtx, cfg); err != nil {
-			return fmt.Errorf("failed to auth tailscale: %v", err)
-		}
-		w, err = client.WatchIPNBus(bootCtx, ipn.NotifyInitialNetMap|ipn.NotifyInitialState)
-		if err != nil {
-			return fmt.Errorf("rewatching tailscaled for updates after auth: %v", err)
-		}
-		return nil
-	}
-
-	if !cfg.AuthOnce {
-		if err := authTailscale(); err != nil {
-			log.Fatalf("failed to auth tailscale: %v", err)
-		}
-	}
-
-authLoop:
-	for {
-		n, err := w.Next()
-		if err != nil {
-			log.Fatalf("failed to read from tailscaled: %v", err)
-		}
-
-		if n.State != nil {
-			switch *n.State {
-			case ipn.NeedsLogin:
-				if err := authTailscale(); err != nil {
-					log.Fatalf("failed to auth tailscale: %v", err)
-				}
-			case ipn.NeedsMachineAuth:
-				log.Printf("machine authorization required, please visit the admin panel")
-			case ipn.Running:
-				// Technically, all we want is to keep monitoring the bus for
-				// netmap updates. However, in order to make the container crash
-				// if tailscale doesn't initially come up, the watch has a
-				// startup deadline on it. So, we have to break out of this
-				// watch loop, cancel the watch, and watch again with no
-				// deadline to continue monitoring for changes.
-				break authLoop
-			default:
-				log.Printf("tailscaled in state %q, waiting", *n.State)
-			}
-		}
-	}
-
-	w.Close()
-
-	ctx, cancel := context.WithCancel(context.Background()) // no deadline now that we're in steady state
-	defer cancel()
-
-	// Now that we are authenticated, we can set/reset any of the
-	// settings that we need to.
-	if err := tailscaleSet(ctx, cfg); err != nil {
-		log.Fatalf("failed to auth tailscale: %v", err)
-	}
-	// Remove any serve config that may have been set by a previous
-	// run of containerboot.
-	if err := client.SetServeConfig(ctx, new(ipn.ServeConfig)); err != nil {
-		log.Fatalf("failed to unset serve config: %v", err)
-	}
-
-	if cfg.InKubernetes && cfg.KubeSecret != "" && cfg.KubernetesCanPatch && cfg.AuthOnce {
-		// We were told to only auth once, so any secret-bound
-		// authkey is no longer needed. We don't strictly need to
-		// wipe it, but it's good hygiene.
-		log.Printf("Deleting authkey from kube secret")
-		if err := deleteAuthKey(ctx, cfg.KubeSecret); err != nil {
-			log.Fatalf("deleting authkey from kube secret: %v", err)
-		}
-	}
-
-	w, err = client.WatchIPNBus(ctx, ipn.NotifyInitialNetMap|ipn.NotifyInitialState)
-	if err != nil {
-		log.Fatalf("rewatching tailscaled for updates after auth: %v", err)
-	}
-
-	var (
-		wantProxy         = cfg.ProxyTo != ""
-		wantDeviceInfo    = cfg.InKubernetes && cfg.KubeSecret != "" && cfg.KubernetesCanPatch
-		startupTasksDone  = false
-		currentIPs        deephash.Sum // tailscale IPs assigned to device
-		currentDeviceInfo deephash.Sum // device ID and fqdn
-
-		certDomain        = new(atomic.Pointer[string])
-		certDomainChanged = make(chan bool, 1)
-	)
-	if cfg.ServeConfigPath != "" {
-		go watchServeConfigChanges(ctx, cfg.ServeConfigPath, certDomainChanged, certDomain, client)
-	}
-	for {
-		n, err := w.Next()
-		if err != nil {
-			log.Fatalf("failed to read from tailscaled: %v", err)
-		}
-
-		if n.State != nil && *n.State != ipn.Running {
-			// Something's gone wrong and we've left the authenticated state.
-			// Our container image never recovered gracefully from this, and the
-			// control flow required to make it work now is hard. So, just crash
-			// the container and rely on the container runtime to restart us,
-			// whereupon we'll go through initial auth again.
-			log.Fatalf("tailscaled left running state (now in state %q), exiting", *n.State)
-		}
-		if n.NetMap != nil {
-			if cfg.ProxyTo != "" && len(n.NetMap.Addresses) > 0 && deephash.Update(&currentIPs, &n.NetMap.Addresses) {
-				if err := installIPTablesRule(ctx, cfg.ProxyTo, n.NetMap.Addresses); err != nil {
-					log.Fatalf("installing proxy rules: %v", err)
-				}
-			}
-			if cfg.ServeConfigPath != "" && len(n.NetMap.DNS.CertDomains) > 0 {
-				cd := n.NetMap.DNS.CertDomains[0]
-				prev := certDomain.Swap(ptr.To(cd))
-				if prev == nil || *prev != cd {
-					select {
-					case certDomainChanged <- true:
-					default:
-					}
-				}
-			}
-			deviceInfo := []any{n.NetMap.SelfNode.StableID(), n.NetMap.SelfNode.Name()}
-			if cfg.InKubernetes && cfg.KubernetesCanPatch && cfg.KubeSecret != "" && deephash.Update(&currentDeviceInfo, &deviceInfo) {
-				if err := storeDeviceInfo(ctx, cfg.KubeSecret, n.NetMap.SelfNode.StableID(), n.NetMap.SelfNode.Name()); err != nil {
-					log.Fatalf("storing device ID in kube secret: %v", err)
-				}
-			}
-		}
-		if !startupTasksDone {
-			if (!wantProxy || currentIPs != deephash.Sum{}) && (!wantDeviceInfo || currentDeviceInfo != deephash.Sum{}) {
-				// This log message is used in tests to detect when all
-				// post-auth configuration is done.
-				log.Println("Startup complete, waiting for shutdown signal")
-				startupTasksDone = true
-
-				// Reap all processes, since we are PID1 and need to collect zombies. We can
-				// only start doing this once we've stopped shelling out to things
-				// `tailscale up`, otherwise this goroutine can reap the CLI subprocesses
-				// and wedge bringup.
-				go func() {
-					for {
-						var status unix.WaitStatus
-						pid, err := unix.Wait4(-1, &status, 0, nil)
-						if errors.Is(err, unix.EINTR) {
-							continue
-						}
-						if err != nil {
-							log.Fatalf("Waiting for exited processes: %v", err)
-						}
-						if pid == daemonPid {
-							log.Printf("Tailscaled exited")
-							os.Exit(0)
-						}
-					}
-				}()
-			}
-		}
-	}
-}
-
-// watchServeConfigChanges watches path for changes, and when it sees one, reads
-// the serve config from it, replacing ${TS_CERT_DOMAIN} with certDomain, and
-// applies it to lc. It exits when ctx is canceled. cdChanged is a channel that
-// is written to when the certDomain changes, causing the serve config to be
-// re-read and applied.
-func watchServeConfigChanges(ctx context.Context, path string, cdChanged <-chan bool, certDomainAtomic *atomic.Pointer[string], lc *tailscale.LocalClient) {
-	if certDomainAtomic == nil {
-		panic("cd must not be nil")
-	}
-	var tickChan <-chan time.Time
-	w, err := fsnotify.NewWatcher()
-	if err != nil {
-		log.Printf("failed to create fsnotify watcher, timer-only mode: %v", err)
-		ticker := time.NewTicker(5 * time.Second)
-		defer ticker.Stop()
-		tickChan = ticker.C
-	} else {
-		defer w.Close()
-	}
-
-	if err := w.Add(filepath.Dir(path)); err != nil {
-		log.Fatalf("failed to add fsnotify watch: %v", err)
-	}
-	var certDomain string
-	var prevServeConfig *ipn.ServeConfig
-	for {
-		select {
-		case <-ctx.Done():
-			return
-		case <-cdChanged:
-			certDomain = *certDomainAtomic.Load()
-		case <-tickChan:
-		case <-w.Events:
-			// We can't do any reasonable filtering on the event because of how
-			// k8s handles these mounts. So just re-read the file and apply it
-			// if it's changed.
-		}
-		if certDomain == "" {
-			continue
-		}
-		sc, err := readServeConfig(path, certDomain)
-		if err != nil {
-			log.Fatalf("failed to read serve config: %v", err)
-		}
-		if prevServeConfig != nil && reflect.DeepEqual(sc, prevServeConfig) {
-			continue
-		}
-		log.Printf("Applying serve config")
-		if err := lc.SetServeConfig(ctx, sc); err != nil {
-			log.Fatalf("failed to set serve config: %v", err)
-		}
-		prevServeConfig = sc
-	}
-}
-
-// readServeConfig reads the ipn.ServeConfig from path, replacing
-// ${TS_CERT_DOMAIN} with certDomain.
-func readServeConfig(path, certDomain string) (*ipn.ServeConfig, error) {
-	if path == "" {
-		return nil, nil
-	}
-	j, err := os.ReadFile(path)
-	if err != nil {
-		return nil, err
-	}
-	j = bytes.ReplaceAll(j, []byte("${TS_CERT_DOMAIN}"), []byte(certDomain))
-	var sc ipn.ServeConfig
-	if err := json.Unmarshal(j, &sc); err != nil {
-		return nil, err
-	}
-	return &sc, nil
-}
-
-func startTailscaled(ctx context.Context, cfg *settings) (*tailscale.LocalClient, int, error) {
-	args := tailscaledArgs(cfg)
-	sigCh := make(chan os.Signal, 1)
-	signal.Notify(sigCh, unix.SIGTERM, unix.SIGINT)
-	// tailscaled runs without context, since it needs to persist
-	// beyond the startup timeout in ctx.
-	cmd := exec.Command("tailscaled", args...)
-	cmd.Stdout = os.Stdout
-	cmd.Stderr = os.Stderr
-	cmd.SysProcAttr = &syscall.SysProcAttr{
-		Setpgid: true,
-	}
-	log.Printf("Starting tailscaled")
-	if err := cmd.Start(); err != nil {
-		return nil, 0, fmt.Errorf("starting tailscaled failed: %v", err)
-	}
-	go func() {
-		<-sigCh
-		log.Printf("Received SIGTERM from container runtime, shutting down tailscaled")
-		cmd.Process.Signal(unix.SIGTERM)
-	}()
-
-	// Wait for the socket file to appear, otherwise API ops will racily fail.
-	log.Printf("Waiting for tailscaled socket")
-	for {
-		if ctx.Err() != nil {
-			log.Fatalf("Timed out waiting for tailscaled socket")
-		}
-		_, err := os.Stat(cfg.Socket)
-		if errors.Is(err, fs.ErrNotExist) {
-			time.Sleep(100 * time.Millisecond)
-			continue
-		} else if err != nil {
-			log.Fatalf("Waiting for tailscaled socket: %v", err)
-		}
-		break
-	}
-
-	tsClient := &tailscale.LocalClient{
-		Socket:        cfg.Socket,
-		UseSocketOnly: true,
-	}
-
-	return tsClient, cmd.Process.Pid, nil
-}
-
-// tailscaledArgs uses cfg to construct the argv for tailscaled.
-func tailscaledArgs(cfg *settings) []string {
-	args := []string{"--socket=" + cfg.Socket}
-	switch {
-	case cfg.InKubernetes && cfg.KubeSecret != "":
-		args = append(args, "--state=kube:"+cfg.KubeSecret)
-		if cfg.StateDir == "" {
-			cfg.StateDir = "/tmp"
-		}
-		fallthrough
-	case cfg.StateDir != "":
-		args = append(args, "--statedir="+cfg.StateDir)
-	default:
-		args = append(args, "--state=mem:", "--statedir=/tmp")
-	}
-
-	if cfg.UserspaceMode {
-		args = append(args, "--tun=userspace-networking")
-	} else if err := ensureTunFile(cfg.Root); err != nil {
-		log.Fatalf("ensuring that /dev/net/tun exists: %v", err)
-	}
-
-	if cfg.SOCKSProxyAddr != "" {
-		args = append(args, "--socks5-server="+cfg.SOCKSProxyAddr)
-	}
-	if cfg.HTTPProxyAddr != "" {
-		args = append(args, "--outbound-http-proxy-listen="+cfg.HTTPProxyAddr)
-	}
-	if cfg.DaemonExtraArgs != "" {
-		args = append(args, strings.Fields(cfg.DaemonExtraArgs)...)
-	}
-	return args
-}
-
-// tailscaleLogin uses cfg to run 'tailscale login' everytime containerboot
-// starts, or if TS_AUTH_ONCE is set, only the first time containerboot starts.
-func tailscaleLogin(ctx context.Context, cfg *settings) error {
-	args := []string{"--socket=" + cfg.Socket, "login"}
-	if cfg.AuthKey != "" {
-		args = append(args, "--authkey="+cfg.AuthKey)
-	}
-	if cfg.ExtraArgs != "" {
-		args = append(args, strings.Fields(cfg.ExtraArgs)...)
-	}
-	log.Printf("Running 'tailscale login'")
-	cmd := exec.CommandContext(ctx, "tailscale", args...)
-	cmd.Stdout = os.Stdout
-	cmd.Stderr = os.Stderr
-	if err := cmd.Run(); err != nil {
-		return fmt.Errorf("tailscale login failed: %v", err)
-	}
-	return nil
-}
-
-// tailscaleSet uses cfg to run 'tailscale set' to set any known configuration
-// options that are passed in via environment variables. This is run after the
-// node is in Running state.
-func tailscaleSet(ctx context.Context, cfg *settings) error {
-	args := []string{"--socket=" + cfg.Socket, "set"}
-	if cfg.AcceptDNS {
-		args = append(args, "--accept-dns=true")
-	} else {
-		args = append(args, "--accept-dns=false")
-	}
-	if cfg.Routes != "" {
-		args = append(args, "--advertise-routes="+cfg.Routes)
-	}
-	if cfg.Hostname != "" {
-		args = append(args, "--hostname="+cfg.Hostname)
-	}
-	log.Printf("Running 'tailscale set'")
-	cmd := exec.CommandContext(ctx, "tailscale", args...)
-	cmd.Stdout = os.Stdout
-	cmd.Stderr = os.Stderr
-	if err := cmd.Run(); err != nil {
-		return fmt.Errorf("tailscale set failed: %v", err)
-	}
-	return nil
-}
-
-// ensureTunFile checks that /dev/net/tun exists, creating it if
-// missing.
-func ensureTunFile(root string) error {
-	// Verify that /dev/net/tun exists, in some container envs it
-	// needs to be mknod-ed.
-	if _, err := os.Stat(filepath.Join(root, "dev/net")); errors.Is(err, fs.ErrNotExist) {
-		if err := os.MkdirAll(filepath.Join(root, "dev/net"), 0755); err != nil {
-			return err
-		}
-	}
-	if _, err := os.Stat(filepath.Join(root, "dev/net/tun")); errors.Is(err, fs.ErrNotExist) {
-		dev := unix.Mkdev(10, 200) // tuntap major and minor
-		if err := unix.Mknod(filepath.Join(root, "dev/net/tun"), 0600|unix.S_IFCHR, int(dev)); err != nil {
-			return err
-		}
-	}
-	return nil
-}
-
-// ensureIPForwarding enables IPv4/IPv6 forwarding for the container.
-func ensureIPForwarding(root, proxyTo, routes string) error {
-	var (
-		v4Forwarding, v6Forwarding bool
-	)
-	if proxyTo != "" {
-		proxyIP, err := netip.ParseAddr(proxyTo)
-		if err != nil {
-			return fmt.Errorf("invalid proxy destination IP: %v", err)
-		}
-		if proxyIP.Is4() {
-			v4Forwarding = true
-		} else {
-			v6Forwarding = true
-		}
-	}
-	if routes != "" {
-		for _, route := range strings.Split(routes, ",") {
-			cidr, err := netip.ParsePrefix(route)
-			if err != nil {
-				return fmt.Errorf("invalid subnet route: %v", err)
-			}
-			if cidr.Addr().Is4() {
-				v4Forwarding = true
-			} else {
-				v6Forwarding = true
-			}
-		}
-	}
-
-	var paths []string
-	if v4Forwarding {
-		paths = append(paths, filepath.Join(root, "proc/sys/net/ipv4/ip_forward"))
-	}
-	if v6Forwarding {
-		paths = append(paths, filepath.Join(root, "proc/sys/net/ipv6/conf/all/forwarding"))
-	}
-
-	// In some common configurations (e.g. default docker,
-	// kubernetes), the container environment denies write access to
-	// most sysctls, including IP forwarding controls. Check the
-	// sysctl values before trying to change them, so that we
-	// gracefully do nothing if the container's already been set up
-	// properly by e.g. a k8s initContainer.
-	for _, path := range paths {
-		bs, err := os.ReadFile(path)
-		if err != nil {
-			return fmt.Errorf("reading %q: %w", path, err)
-		}
-		if v := strings.TrimSpace(string(bs)); v != "1" {
-			if err := os.WriteFile(path, []byte("1"), 0644); err != nil {
-				return fmt.Errorf("enabling %q: %w", path, err)
-			}
-		}
-	}
-	return nil
-}
-
-func installIPTablesRule(ctx context.Context, dstStr string, tsIPs []netip.Prefix) error {
-	dst, err := netip.ParseAddr(dstStr)
-	if err != nil {
-		return err
-	}
-	argv0 := "iptables"
-	if dst.Is6() {
-		argv0 = "ip6tables"
-	}
-	var local string
-	for _, pfx := range tsIPs {
-		if !pfx.IsSingleIP() {
-			continue
-		}
-		if pfx.Addr().Is4() != dst.Is4() {
-			continue
-		}
-		local = pfx.Addr().String()
-		break
-	}
-	if local == "" {
-		return fmt.Errorf("no tailscale IP matching family of %s found in %v", dstStr, tsIPs)
-	}
-	// Technically, if the control server ever changes the IPs assigned to this
-	// node, we'll slowly accumulate iptables rules. This shouldn't happen, so
-	// for now we'll live with it.
-	cmd := exec.CommandContext(ctx, argv0, "-t", "nat", "-I", "PREROUTING", "1", "-d", local, "-j", "DNAT", "--to-destination", dstStr)
-	cmd.Stdout = os.Stdout
-	cmd.Stderr = os.Stderr
-	if err := cmd.Run(); err != nil {
-		return fmt.Errorf("executing iptables failed: %w", err)
-	}
-	return nil
-}
-
-// settings is all the configuration for containerboot.
-type settings struct {
-	AuthKey            string
-	Hostname           string
-	Routes             string
-	ProxyTo            string
-	ServeConfigPath    string
-	DaemonExtraArgs    string
-	ExtraArgs          string
-	InKubernetes       bool
-	UserspaceMode      bool
-	StateDir           string
-	AcceptDNS          bool
-	KubeSecret         string
-	SOCKSProxyAddr     string
-	HTTPProxyAddr      string
-	Socket             string
-	AuthOnce           bool
-	Root               string
-	KubernetesCanPatch bool
-}
-
-// defaultEnv returns the value of the given envvar name, or defVal if
-// unset.
-func defaultEnv(name, defVal string) string {
-	if v, ok := os.LookupEnv(name); ok {
-		return v
-	}
-	return defVal
-}
-
-func defaultEnvs(names []string, defVal string) string {
-	for _, name := range names {
-		if v, ok := os.LookupEnv(name); ok {
-			return v
-		}
-	}
-	return defVal
-}
-
-// defaultBool returns the boolean value of the given envvar name, or
-// defVal if unset or not a bool.
-func defaultBool(name string, defVal bool) bool {
-	v := os.Getenv(name)
-	ret, err := strconv.ParseBool(v)
-	if err != nil {
-		return defVal
-	}
-	return ret
-}

cmd/containerboot/test_tailscale.sh

@@ -1,8 +0,0 @@
-#!/usr/bin/env bash
-#
-# This is a fake tailscale CLI (and also iptables and ip6tables) that
-# records its arguments and exits successfully.
-#
-# It is used by main_test.go to test the behavior of containerboot.
-
-echo $0 $@ >>$TS_TEST_RECORD_ARGS

cmd/containerboot/test_tailscaled.sh

@@ -1,37 +0,0 @@
-#!/usr/bin/env bash
-#
-# This is a fake tailscale CLI that records its arguments, symlinks a
-# fake LocalAPI socket into place, and does nothing until terminated.
-#
-# It is used by main_test.go to test the behavior of containerboot.
-
-set -eu
-
-echo $0 $@ >>$TS_TEST_RECORD_ARGS
-
-socket=""
-while [[ $# -gt 0 ]]; do
-	case $1 in
-		--socket=*)
-			socket="${1#--socket=}"
-			shift
-			;;
-		--socket)
-			shift
-			socket="$1"
-			shift
-			;;
-		*)
-			shift
-			;;
-	esac
-done
-
-if [[ -z "$socket" ]]; then
-	echo "didn't find socket path in args"
-	exit 1
-fi
-
-ln -s "$TS_TEST_SOCKET" "$socket"
-
-while true; do sleep 1; done

cmd/derper/bootstrap_dns.go

@@ -1,148 +0,0 @@
-// Copyright (c) Tailscale Inc & AUTHORS
-// SPDX-License-Identifier: BSD-3-Clause
-
-package main
-
-import (
-	"context"
-	"encoding/json"
-	"expvar"
-	"log"
-	"net"
-	"net/http"
-	"strings"
-	"time"
-
-	"tailscale.com/syncs"
-	"tailscale.com/util/slicesx"
-)
-
-const refreshTimeout = time.Minute
-
-type dnsEntryMap map[string][]net.IP
-
-var (
-	dnsCache            syncs.AtomicValue[dnsEntryMap]
-	dnsCacheBytes       syncs.AtomicValue[[]byte] // of JSON
-	unpublishedDNSCache syncs.AtomicValue[dnsEntryMap]
-	bootstrapLookupMap  syncs.Map[string, bool]
-)
-
-var (
-	bootstrapDNSRequests = expvar.NewInt("counter_bootstrap_dns_requests")
-	publishedDNSHits     = expvar.NewInt("counter_bootstrap_dns_published_hits")
-	publishedDNSMisses   = expvar.NewInt("counter_bootstrap_dns_published_misses")
-	unpublishedDNSHits   = expvar.NewInt("counter_bootstrap_dns_unpublished_hits")
-	unpublishedDNSMisses = expvar.NewInt("counter_bootstrap_dns_unpublished_misses")
-)
-
-func init() {
-	expvar.Publish("counter_bootstrap_dns_queried_domains", expvar.Func(func() any {
-		return bootstrapLookupMap.Len()
-	}))
-}
-
-func refreshBootstrapDNSLoop() {
-	if *bootstrapDNS == "" && *unpublishedDNS == "" {
-		return
-	}
-	for {
-		refreshBootstrapDNS()
-		refreshUnpublishedDNS()
-		time.Sleep(10 * time.Minute)
-	}
-}
-
-func refreshBootstrapDNS() {
-	if *bootstrapDNS == "" {
-		return
-	}
-	ctx, cancel := context.WithTimeout(context.Background(), refreshTimeout)
-	defer cancel()
-	dnsEntries := resolveList(ctx, strings.Split(*bootstrapDNS, ","))
-	// Randomize the order of the IPs for each name to avoid the client biasing
-	// to IPv6
-	for k := range dnsEntries {
-		ips := dnsEntries[k]
-		slicesx.Shuffle(ips)
-		dnsEntries[k] = ips
-	}
-	j, err := json.MarshalIndent(dnsEntries, "", "\t")
-	if err != nil {
-		// leave the old values in place
-		return
-	}
-
-	dnsCache.Store(dnsEntries)
-	dnsCacheBytes.Store(j)
-}
-
-func refreshUnpublishedDNS() {
-	if *unpublishedDNS == "" {
-		return
-	}
-
-	ctx, cancel := context.WithTimeout(context.Background(), refreshTimeout)
-	defer cancel()
-
-	dnsEntries := resolveList(ctx, strings.Split(*unpublishedDNS, ","))
-	unpublishedDNSCache.Store(dnsEntries)
-}
-
-func resolveList(ctx context.Context, names []string) dnsEntryMap {
-	dnsEntries := make(dnsEntryMap)
-
-	var r net.Resolver
-	for _, name := range names {
-		addrs, err := r.LookupIP(ctx, "ip", name)
-		if err != nil {
-			log.Printf("bootstrap DNS lookup %q: %v", name, err)
-			continue
-		}
-		dnsEntries[name] = addrs
-	}
-	return dnsEntries
-}
-
-func handleBootstrapDNS(w http.ResponseWriter, r *http.Request) {
-	bootstrapDNSRequests.Add(1)
-
-	w.Header().Set("Content-Type", "application/json")
-	// Bootstrap DNS requests occur cross-regions, and are randomized per
-	// request, so keeping a connection open is pointlessly expensive.
-	w.Header().Set("Connection", "close")
-
-	// Try answering a query from our hidden map first
-	if q := r.URL.Query().Get("q"); q != "" {
-		bootstrapLookupMap.Store(q, true)
-		if ips, ok := unpublishedDNSCache.Load()[q]; ok && len(ips) > 0 {
-			unpublishedDNSHits.Add(1)
-
-			// Only return the specific query, not everything.
-			m := dnsEntryMap{q: ips}
-			j, err := json.MarshalIndent(m, "", "\t")
-			if err == nil {
-				w.Write(j)
-				return
-			}
-		}
-
-		// If we have a "q" query for a name in the published cache
-		// list, then track whether that's a hit/miss.
-		if m, ok := dnsCache.Load()[q]; ok {
-			if len(m) > 0 {
-				publishedDNSHits.Add(1)
-			} else {
-				publishedDNSMisses.Add(1)
-			}
-		} else {
-			// If it wasn't in either cache, treat this as a query
-			// for the unpublished cache, and thus a cache miss.
-			unpublishedDNSMisses.Add(1)
-		}
-	}
-
-	// Fall back to returning the public set of cached DNS names
-	j := dnsCacheBytes.Load()
-	w.Write(j)
-}

cmd/derper/bootstrap_dns_test.go

@@ -1,165 +0,0 @@
-// Copyright (c) Tailscale Inc & AUTHORS
-// SPDX-License-Identifier: BSD-3-Clause
-
-package main
-
-import (
-	"encoding/json"
-	"net"
-	"net/http"
-	"net/http/httptest"
-	"net/url"
-	"reflect"
-	"testing"
-
-	"tailscale.com/tstest"
-)
-
-func BenchmarkHandleBootstrapDNS(b *testing.B) {
-	tstest.Replace(b, bootstrapDNS, "log.tailscale.io,login.tailscale.com,controlplane.tailscale.com,login.us.tailscale.com")
-	refreshBootstrapDNS()
-	w := new(bitbucketResponseWriter)
-	req, _ := http.NewRequest("GET", "https://localhost/bootstrap-dns?q="+url.QueryEscape("log.tailscale.io"), nil)
-	b.ReportAllocs()
-	b.ResetTimer()
-	b.RunParallel(func(b *testing.PB) {
-		for b.Next() {
-			handleBootstrapDNS(w, req)
-		}
-	})
-}
-
-type bitbucketResponseWriter struct{}
-
-func (b *bitbucketResponseWriter) Header() http.Header { return make(http.Header) }
-
-func (b *bitbucketResponseWriter) Write(p []byte) (int, error) { return len(p), nil }
-
-func (b *bitbucketResponseWriter) WriteHeader(statusCode int) {}
-
-func getBootstrapDNS(t *testing.T, q string) dnsEntryMap {
-	t.Helper()
-	req, _ := http.NewRequest("GET", "https://localhost/bootstrap-dns?q="+url.QueryEscape(q), nil)
-	w := httptest.NewRecorder()
-	handleBootstrapDNS(w, req)
-
-	res := w.Result()
-	if res.StatusCode != 200 {
-		t.Fatalf("got status=%d; want %d", res.StatusCode, 200)
-	}
-	var ips dnsEntryMap
-	if err := json.NewDecoder(res.Body).Decode(&ips); err != nil {
-		t.Fatalf("error decoding response body: %v", err)
-	}
-	return ips
-}
-
-func TestUnpublishedDNS(t *testing.T) {
-	const published = "login.tailscale.com"
-	const unpublished = "log.tailscale.io"
-
-	prev1, prev2 := *bootstrapDNS, *unpublishedDNS
-	*bootstrapDNS = published
-	*unpublishedDNS = unpublished
-	t.Cleanup(func() {
-		*bootstrapDNS = prev1
-		*unpublishedDNS = prev2
-	})
-
-	refreshBootstrapDNS()
-	refreshUnpublishedDNS()
-
-	hasResponse := func(q string) bool {
-		_, found := getBootstrapDNS(t, q)[q]
-		return found
-	}
-
-	if !hasResponse(published) {
-		t.Errorf("expected response for: %s", published)
-	}
-	if !hasResponse(unpublished) {
-		t.Errorf("expected response for: %s", unpublished)
-	}
-
-	// Verify that querying for a random query or a real query does not
-	// leak our unpublished domain
-	m1 := getBootstrapDNS(t, published)
-	if _, found := m1[unpublished]; found {
-		t.Errorf("found unpublished domain %s: %+v", unpublished, m1)
-	}
-	m2 := getBootstrapDNS(t, "random.example.com")
-	if _, found := m2[unpublished]; found {
-		t.Errorf("found unpublished domain %s: %+v", unpublished, m2)
-	}
-}
-
-func resetMetrics() {
-	publishedDNSHits.Set(0)
-	publishedDNSMisses.Set(0)
-	unpublishedDNSHits.Set(0)
-	unpublishedDNSMisses.Set(0)
-	bootstrapLookupMap.Clear()
-}
-
-// Verify that we don't count an empty list in the unpublishedDNSCache as a
-// cache hit in our metrics.
-func TestUnpublishedDNSEmptyList(t *testing.T) {
-	pub := dnsEntryMap{
-		"tailscale.com": {net.IPv4(10, 10, 10, 10)},
-	}
-	dnsCache.Store(pub)
-	dnsCacheBytes.Store([]byte(`{"tailscale.com":["10.10.10.10"]}`))
-
-	unpublishedDNSCache.Store(dnsEntryMap{
-		"log.tailscale.io":           {},
-		"controlplane.tailscale.com": {net.IPv4(1, 2, 3, 4)},
-	})
-
-	t.Run("CacheMiss", func(t *testing.T) {
-		// One domain in map but empty, one not in map at all
-		for _, q := range []string{"log.tailscale.io", "login.tailscale.com"} {
-			resetMetrics()
-			ips := getBootstrapDNS(t, q)
-
-			// Expected our public map to be returned on a cache miss
-			if !reflect.DeepEqual(ips, pub) {
-				t.Errorf("got ips=%+v; want %+v", ips, pub)
-			}
-			if v := unpublishedDNSHits.Value(); v != 0 {
-				t.Errorf("got hits=%d; want 0", v)
-			}
-			if v := unpublishedDNSMisses.Value(); v != 1 {
-				t.Errorf("got misses=%d; want 1", v)
-			}
-		}
-	})
-
-	// Verify that we do get a valid response and metric.
-	t.Run("CacheHit", func(t *testing.T) {
-		resetMetrics()
-		ips := getBootstrapDNS(t, "controlplane.tailscale.com")
-		want := dnsEntryMap{"controlplane.tailscale.com": {net.IPv4(1, 2, 3, 4)}}
-		if !reflect.DeepEqual(ips, want) {
-			t.Errorf("got ips=%+v; want %+v", ips, want)
-		}
-		if v := unpublishedDNSHits.Value(); v != 1 {
-			t.Errorf("got hits=%d; want 1", v)
-		}
-		if v := unpublishedDNSMisses.Value(); v != 0 {
-			t.Errorf("got misses=%d; want 0", v)
-		}
-	})
-
-}
-
-func TestLookupMetric(t *testing.T) {
-	d := []string{"a.io", "b.io", "c.io", "d.io", "e.io", "e.io", "e.io", "a.io"}
-	resetMetrics()
-	for _, q := range d {
-		_ = getBootstrapDNS(t, q)
-	}
-	// {"a.io": true, "b.io": true, "c.io": true, "d.io": true, "e.io": true}
-	if bootstrapLookupMap.Len() != 5 {
-		t.Errorf("bootstrapLookupMap.Len() want=5, got %v", bootstrapLookupMap.Len())
-	}
-}

cmd/derper/cert.go

@@ -1,105 +0,0 @@
-// Copyright (c) Tailscale Inc & AUTHORS
-// SPDX-License-Identifier: BSD-3-Clause
-
-package main
-
-import (
-	"crypto/tls"
-	"crypto/x509"
-	"errors"
-	"fmt"
-	"net/http"
-	"path/filepath"
-	"regexp"
-
-	"golang.org/x/crypto/acme/autocert"
-)
-
-var unsafeHostnameCharacters = regexp.MustCompile(`[^a-zA-Z0-9-\.]`)
-
-type certProvider interface {
-	// TLSConfig creates a new TLS config suitable for net/http.Server servers.
-	//
-	// The returned Config must have a GetCertificate function set and that
-	// function must return a unique *tls.Certificate for each call. The
-	// returned *tls.Certificate will be mutated by the caller to append to the
-	// (*tls.Certificate).Certificate field.
-	TLSConfig() *tls.Config
-	// HTTPHandler handle ACME related request, if any.
-	HTTPHandler(fallback http.Handler) http.Handler
-}
-
-func certProviderByCertMode(mode, dir, hostname string) (certProvider, error) {
-	if dir == "" {
-		return nil, errors.New("missing required --certdir flag")
-	}
-	switch mode {
-	case "letsencrypt":
-		certManager := &autocert.Manager{
-			Prompt:     autocert.AcceptTOS,
-			HostPolicy: autocert.HostWhitelist(hostname),
-			Cache:      autocert.DirCache(dir),
-		}
-		if hostname == "derp.tailscale.com" {
-			certManager.HostPolicy = prodAutocertHostPolicy
-			certManager.Email = "security@tailscale.com"
-		}
-		return certManager, nil
-	case "manual":
-		return NewManualCertManager(dir, hostname)
-	default:
-		return nil, fmt.Errorf("unsupport cert mode: %q", mode)
-	}
-}
-
-type manualCertManager struct {
-	cert     *tls.Certificate
-	hostname string
-}
-
-// NewManualCertManager returns a cert provider which read certificate by given hostname on create.
-func NewManualCertManager(certdir, hostname string) (certProvider, error) {
-	keyname := unsafeHostnameCharacters.ReplaceAllString(hostname, "")
-	crtPath := filepath.Join(certdir, keyname+".crt")
-	keyPath := filepath.Join(certdir, keyname+".key")
-	cert, err := tls.LoadX509KeyPair(crtPath, keyPath)
-	if err != nil {
-		return nil, fmt.Errorf("can not load x509 key pair for hostname %q: %w", keyname, err)
-	}
-	// ensure hostname matches with the certificate
-	x509Cert, err := x509.ParseCertificate(cert.Certificate[0])
-	if err != nil {
-		return nil, fmt.Errorf("can not load cert: %w", err)
-	}
-	if err := x509Cert.VerifyHostname(hostname); err != nil {
-		return nil, fmt.Errorf("cert invalid for hostname %q: %w", hostname, err)
-	}
-	return &manualCertManager{cert: &cert, hostname: hostname}, nil
-}
-
-func (m *manualCertManager) TLSConfig() *tls.Config {
-	return &tls.Config{
-		Certificates: nil,
-		NextProtos: []string{
-			"http/1.1",
-		},
-		GetCertificate: m.getCertificate,
-	}
-}
-
-func (m *manualCertManager) getCertificate(hi *tls.ClientHelloInfo) (*tls.Certificate, error) {
-	if hi.ServerName != m.hostname {
-		return nil, fmt.Errorf("cert mismatch with hostname: %q", hi.ServerName)
-	}
-
-	// Return a shallow copy of the cert so the caller can append to its
-	// Certificate field.
-	certCopy := new(tls.Certificate)
-	*certCopy = *m.cert
-	certCopy.Certificate = certCopy.Certificate[:len(certCopy.Certificate):len(certCopy.Certificate)]
-	return certCopy, nil
-}
-
-func (m *manualCertManager) HTTPHandler(fallback http.Handler) http.Handler {
-	return fallback
-}

cmd/derper/depaware.txt

@@ -1,283 +0,0 @@
-tailscale.com/cmd/derper dependencies: (generated by github.com/tailscale/depaware)
-
-        filippo.io/edwards25519                                      from github.com/hdevalence/ed25519consensus
-        filippo.io/edwards25519/field                                from filippo.io/edwards25519
-   W 💣 github.com/Microsoft/go-winio                                from tailscale.com/safesocket
-   W 💣 github.com/Microsoft/go-winio/internal/fs                    from github.com/Microsoft/go-winio
-   W 💣 github.com/Microsoft/go-winio/internal/socket                from github.com/Microsoft/go-winio
-   W    github.com/Microsoft/go-winio/internal/stringbuffer          from github.com/Microsoft/go-winio/internal/fs
-   W    github.com/Microsoft/go-winio/pkg/guid                       from github.com/Microsoft/go-winio+
-   W 💣 github.com/alexbrainman/sspi                                 from github.com/alexbrainman/sspi/internal/common+
-   W    github.com/alexbrainman/sspi/internal/common                 from github.com/alexbrainman/sspi/negotiate
-   W 💣 github.com/alexbrainman/sspi/negotiate                       from tailscale.com/net/tshttpproxy
-        github.com/beorn7/perks/quantile                             from github.com/prometheus/client_golang/prometheus
-     💣 github.com/cespare/xxhash/v2                                 from github.com/prometheus/client_golang/prometheus
-   L    github.com/coreos/go-iptables/iptables                       from tailscale.com/util/linuxfw
-   W 💣 github.com/dblohm7/wingoes                                   from tailscale.com/util/winutil
-        github.com/fxamacker/cbor/v2                                 from tailscale.com/tka
-        github.com/golang/groupcache/lru                             from tailscale.com/net/dnscache
-        github.com/golang/protobuf/proto                             from github.com/matttproud/golang_protobuf_extensions/pbutil+
-   L    github.com/google/nftables                                   from tailscale.com/util/linuxfw
-   L 💣 github.com/google/nftables/alignedbuff                       from github.com/google/nftables/xt
-   L 💣 github.com/google/nftables/binaryutil                        from github.com/google/nftables+
-   L    github.com/google/nftables/expr                              from github.com/google/nftables+
-   L    github.com/google/nftables/internal/parseexprfunc            from github.com/google/nftables+
-   L    github.com/google/nftables/xt                                from github.com/google/nftables/expr+
-        github.com/hdevalence/ed25519consensus                       from tailscale.com/tka
-   L    github.com/josharian/native                                  from github.com/mdlayher/netlink+
-   L 💣 github.com/jsimonetti/rtnetlink                              from tailscale.com/net/interfaces+
-   L    github.com/jsimonetti/rtnetlink/internal/unix                from github.com/jsimonetti/rtnetlink
-        github.com/klauspost/compress/flate                          from nhooyr.io/websocket
-        github.com/matttproud/golang_protobuf_extensions/pbutil      from github.com/prometheus/common/expfmt
-   L 💣 github.com/mdlayher/netlink                                  from github.com/jsimonetti/rtnetlink+
-   L 💣 github.com/mdlayher/netlink/nlenc                            from github.com/jsimonetti/rtnetlink+
-   L    github.com/mdlayher/netlink/nltest                           from github.com/google/nftables
-   L 💣 github.com/mdlayher/socket                                   from github.com/mdlayher/netlink
-     💣 github.com/mitchellh/go-ps                                   from tailscale.com/safesocket
-     💣 github.com/prometheus/client_golang/prometheus               from tailscale.com/tsweb/promvarz
-        github.com/prometheus/client_golang/prometheus/internal      from github.com/prometheus/client_golang/prometheus
-        github.com/prometheus/client_model/go                        from github.com/prometheus/client_golang/prometheus+
-        github.com/prometheus/common/expfmt                          from github.com/prometheus/client_golang/prometheus+
-        github.com/prometheus/common/internal/bitbucket.org/ww/goautoneg from github.com/prometheus/common/expfmt
-        github.com/prometheus/common/model                           from github.com/prometheus/client_golang/prometheus+
-  LD    github.com/prometheus/procfs                                 from github.com/prometheus/client_golang/prometheus
-  LD    github.com/prometheus/procfs/internal/fs                     from github.com/prometheus/procfs
-  LD    github.com/prometheus/procfs/internal/util                   from github.com/prometheus/procfs
-   L 💣 github.com/tailscale/netlink                                 from tailscale.com/util/linuxfw
-   L 💣 github.com/vishvananda/netlink/nl                            from github.com/tailscale/netlink
-   L    github.com/vishvananda/netns                                 from github.com/tailscale/netlink+
-        github.com/x448/float16                                      from github.com/fxamacker/cbor/v2
-     💣 go4.org/mem                                                  from tailscale.com/client/tailscale+
-        go4.org/netipx                                               from tailscale.com/wgengine/filter+
-   W 💣 golang.zx2c4.com/wireguard/windows/tunnel/winipcfg           from tailscale.com/net/interfaces+
-        google.golang.org/protobuf/encoding/prototext                from github.com/golang/protobuf/proto+
-        google.golang.org/protobuf/encoding/protowire                from github.com/golang/protobuf/proto+
-        google.golang.org/protobuf/internal/descfmt                  from google.golang.org/protobuf/internal/filedesc
-        google.golang.org/protobuf/internal/descopts                 from google.golang.org/protobuf/internal/filedesc+
-        google.golang.org/protobuf/internal/detrand                  from google.golang.org/protobuf/internal/descfmt+
-        google.golang.org/protobuf/internal/encoding/defval          from google.golang.org/protobuf/internal/encoding/tag+
-        google.golang.org/protobuf/internal/encoding/messageset      from google.golang.org/protobuf/encoding/prototext+
-        google.golang.org/protobuf/internal/encoding/tag             from google.golang.org/protobuf/internal/impl
-        google.golang.org/protobuf/internal/encoding/text            from google.golang.org/protobuf/encoding/prototext+
-        google.golang.org/protobuf/internal/errors                   from google.golang.org/protobuf/encoding/prototext+
-        google.golang.org/protobuf/internal/filedesc                 from google.golang.org/protobuf/internal/encoding/tag+
-        google.golang.org/protobuf/internal/filetype                 from google.golang.org/protobuf/runtime/protoimpl
-        google.golang.org/protobuf/internal/flags                    from google.golang.org/protobuf/encoding/prototext+
-        google.golang.org/protobuf/internal/genid                    from google.golang.org/protobuf/encoding/prototext+
-     💣 google.golang.org/protobuf/internal/impl                     from google.golang.org/protobuf/internal/filetype+
-        google.golang.org/protobuf/internal/order                    from google.golang.org/protobuf/encoding/prototext+
-        google.golang.org/protobuf/internal/pragma                   from google.golang.org/protobuf/encoding/prototext+
-        google.golang.org/protobuf/internal/set                      from google.golang.org/protobuf/encoding/prototext
-     💣 google.golang.org/protobuf/internal/strs                     from google.golang.org/protobuf/encoding/prototext+
-        google.golang.org/protobuf/internal/version                  from google.golang.org/protobuf/runtime/protoimpl
-        google.golang.org/protobuf/proto                             from github.com/golang/protobuf/proto+
-        google.golang.org/protobuf/reflect/protodesc                 from github.com/golang/protobuf/proto
-     💣 google.golang.org/protobuf/reflect/protoreflect              from github.com/golang/protobuf/proto+
-        google.golang.org/protobuf/reflect/protoregistry             from github.com/golang/protobuf/proto+
-        google.golang.org/protobuf/runtime/protoiface                from github.com/golang/protobuf/proto+
-        google.golang.org/protobuf/runtime/protoimpl                 from github.com/golang/protobuf/proto+
-        google.golang.org/protobuf/types/descriptorpb                from google.golang.org/protobuf/reflect/protodesc
-        google.golang.org/protobuf/types/known/timestamppb           from github.com/prometheus/client_golang/prometheus+
-        nhooyr.io/websocket                                          from tailscale.com/cmd/derper+
-        nhooyr.io/websocket/internal/errd                            from nhooyr.io/websocket
-        nhooyr.io/websocket/internal/xsync                           from nhooyr.io/websocket
-        tailscale.com                                                from tailscale.com/version
-        tailscale.com/atomicfile                                     from tailscale.com/cmd/derper+
-        tailscale.com/client/tailscale                               from tailscale.com/derp
-        tailscale.com/client/tailscale/apitype                       from tailscale.com/client/tailscale
-        tailscale.com/derp                                           from tailscale.com/cmd/derper+
-        tailscale.com/derp/derphttp                                  from tailscale.com/cmd/derper
-        tailscale.com/disco                                          from tailscale.com/derp
-        tailscale.com/envknob                                        from tailscale.com/derp+
-        tailscale.com/health                                         from tailscale.com/net/tlsdial
-        tailscale.com/hostinfo                                       from tailscale.com/net/interfaces+
-        tailscale.com/ipn                                            from tailscale.com/client/tailscale
-        tailscale.com/ipn/ipnstate                                   from tailscale.com/client/tailscale+
-        tailscale.com/metrics                                        from tailscale.com/cmd/derper+
-        tailscale.com/net/dnscache                                   from tailscale.com/derp/derphttp
-        tailscale.com/net/flowtrack                                  from tailscale.com/net/packet+
-     💣 tailscale.com/net/interfaces                                 from tailscale.com/net/netns+
-        tailscale.com/net/netaddr                                    from tailscale.com/ipn+
-        tailscale.com/net/netknob                                    from tailscale.com/net/netns
-        tailscale.com/net/netmon                                     from tailscale.com/net/sockstats+
-        tailscale.com/net/netns                                      from tailscale.com/derp/derphttp
-        tailscale.com/net/netutil                                    from tailscale.com/client/tailscale
-        tailscale.com/net/packet                                     from tailscale.com/wgengine/filter
-        tailscale.com/net/sockstats                                  from tailscale.com/derp/derphttp
-        tailscale.com/net/stun                                       from tailscale.com/cmd/derper
-   L    tailscale.com/net/tcpinfo                                    from tailscale.com/derp
-        tailscale.com/net/tlsdial                                    from tailscale.com/derp/derphttp
-        tailscale.com/net/tsaddr                                     from tailscale.com/ipn+
-     💣 tailscale.com/net/tshttpproxy                                from tailscale.com/derp/derphttp+
-        tailscale.com/net/wsconn                                     from tailscale.com/cmd/derper+
-        tailscale.com/paths                                          from tailscale.com/client/tailscale
-        tailscale.com/safesocket                                     from tailscale.com/client/tailscale
-        tailscale.com/syncs                                          from tailscale.com/cmd/derper+
-        tailscale.com/tailcfg                                        from tailscale.com/client/tailscale+
-        tailscale.com/tka                                            from tailscale.com/client/tailscale+
-   W    tailscale.com/tsconst                                        from tailscale.com/net/interfaces
-        tailscale.com/tstime                                         from tailscale.com/derp+
-        tailscale.com/tstime/mono                                    from tailscale.com/tstime/rate
-        tailscale.com/tstime/rate                                    from tailscale.com/wgengine/filter+
-        tailscale.com/tsweb                                          from tailscale.com/cmd/derper
-        tailscale.com/tsweb/promvarz                                 from tailscale.com/tsweb
-        tailscale.com/tsweb/varz                                     from tailscale.com/tsweb+
-        tailscale.com/types/dnstype                                  from tailscale.com/tailcfg
-        tailscale.com/types/empty                                    from tailscale.com/ipn
-        tailscale.com/types/ipproto                                  from tailscale.com/net/flowtrack+
-        tailscale.com/types/key                                      from tailscale.com/cmd/derper+
-        tailscale.com/types/lazy                                     from tailscale.com/version+
-        tailscale.com/types/logger                                   from tailscale.com/cmd/derper+
-        tailscale.com/types/netmap                                   from tailscale.com/ipn
-        tailscale.com/types/opt                                      from tailscale.com/client/tailscale+
-        tailscale.com/types/persist                                  from tailscale.com/ipn
-        tailscale.com/types/preftype                                 from tailscale.com/ipn
-        tailscale.com/types/ptr                                      from tailscale.com/hostinfo+
-        tailscale.com/types/structs                                  from tailscale.com/ipn+
-        tailscale.com/types/tkatype                                  from tailscale.com/types/key+
-        tailscale.com/types/views                                    from tailscale.com/ipn/ipnstate+
-   W    tailscale.com/util/clientmetric                              from tailscale.com/net/tshttpproxy
-        tailscale.com/util/cloudenv                                  from tailscale.com/hostinfo+
-   W    tailscale.com/util/cmpver                                    from tailscale.com/net/tshttpproxy
-        tailscale.com/util/cmpx                                      from tailscale.com/cmd/derper+
-   L 💣 tailscale.com/util/dirwalk                                   from tailscale.com/metrics
-        tailscale.com/util/dnsname                                   from tailscale.com/hostinfo+
-        tailscale.com/util/httpm                                     from tailscale.com/client/tailscale
-        tailscale.com/util/lineread                                  from tailscale.com/hostinfo+
-   L    tailscale.com/util/linuxfw                                   from tailscale.com/net/netns
-        tailscale.com/util/mak                                       from tailscale.com/syncs+
-        tailscale.com/util/multierr                                  from tailscale.com/health+
-        tailscale.com/util/set                                       from tailscale.com/health+
-        tailscale.com/util/singleflight                              from tailscale.com/net/dnscache
-        tailscale.com/util/slicesx                                   from tailscale.com/cmd/derper+
-        tailscale.com/util/vizerror                                  from tailscale.com/tsweb
-   W 💣 tailscale.com/util/winutil                                   from tailscale.com/hostinfo+
-        tailscale.com/version                                        from tailscale.com/derp+
-        tailscale.com/version/distro                                 from tailscale.com/hostinfo+
-        tailscale.com/wgengine/filter                                from tailscale.com/types/netmap
-        golang.org/x/crypto/acme                                     from golang.org/x/crypto/acme/autocert
-        golang.org/x/crypto/acme/autocert                            from tailscale.com/cmd/derper
-        golang.org/x/crypto/argon2                                   from tailscale.com/tka
-        golang.org/x/crypto/blake2b                                  from golang.org/x/crypto/nacl/box+
-        golang.org/x/crypto/blake2s                                  from tailscale.com/tka
-        golang.org/x/crypto/chacha20                                 from golang.org/x/crypto/chacha20poly1305
-        golang.org/x/crypto/chacha20poly1305                         from crypto/tls
-        golang.org/x/crypto/cryptobyte                               from crypto/ecdsa+
-        golang.org/x/crypto/cryptobyte/asn1                          from crypto/ecdsa+
-        golang.org/x/crypto/curve25519                               from golang.org/x/crypto/nacl/box+
-        golang.org/x/crypto/hkdf                                     from crypto/tls
-        golang.org/x/crypto/nacl/box                                 from tailscale.com/types/key
-        golang.org/x/crypto/nacl/secretbox                           from golang.org/x/crypto/nacl/box
-        golang.org/x/crypto/salsa20/salsa                            from golang.org/x/crypto/nacl/box+
-   L    golang.org/x/net/bpf                                         from github.com/mdlayher/netlink+
-        golang.org/x/net/dns/dnsmessage                              from net+
-        golang.org/x/net/http/httpguts                               from net/http
-        golang.org/x/net/http/httpproxy                              from net/http+
-        golang.org/x/net/http2/hpack                                 from net/http
-        golang.org/x/net/idna                                        from golang.org/x/crypto/acme/autocert+
-        golang.org/x/net/proxy                                       from tailscale.com/net/netns
-   D    golang.org/x/net/route                                       from net+
-        golang.org/x/sync/errgroup                                   from github.com/mdlayher/socket+
-        golang.org/x/sys/cpu                                         from golang.org/x/crypto/blake2b+
-  LD    golang.org/x/sys/unix                                        from github.com/jsimonetti/rtnetlink/internal/unix+
-   W    golang.org/x/sys/windows                                     from golang.org/x/sys/windows/registry+
-   W    golang.org/x/sys/windows/registry                            from golang.zx2c4.com/wireguard/windows/tunnel/winipcfg+
-   W    golang.org/x/sys/windows/svc                                 from golang.org/x/sys/windows/svc/mgr+
-   W    golang.org/x/sys/windows/svc/mgr                             from tailscale.com/util/winutil
-        golang.org/x/text/secure/bidirule                            from golang.org/x/net/idna
-        golang.org/x/text/transform                                  from golang.org/x/text/secure/bidirule+
-        golang.org/x/text/unicode/bidi                               from golang.org/x/net/idna+
-        golang.org/x/text/unicode/norm                               from golang.org/x/net/idna
-        golang.org/x/time/rate                                       from tailscale.com/cmd/derper+
-        bufio                                                        from compress/flate+
-        bytes                                                        from bufio+
-        cmp                                                          from slices
-        compress/flate                                               from compress/gzip+
-        compress/gzip                                                from internal/profile+
-        container/list                                               from crypto/tls+
-        context                                                      from crypto/tls+
-        crypto                                                       from crypto/ecdsa+
-        crypto/aes                                                   from crypto/ecdsa+
-        crypto/cipher                                                from crypto/aes+
-        crypto/des                                                   from crypto/tls+
-        crypto/dsa                                                   from crypto/x509
-        crypto/ecdh                                                  from crypto/ecdsa+
-        crypto/ecdsa                                                 from crypto/tls+
-        crypto/ed25519                                               from crypto/tls+
-        crypto/elliptic                                              from crypto/ecdsa+
-        crypto/hmac                                                  from crypto/tls+
-        crypto/md5                                                   from crypto/tls+
-        crypto/rand                                                  from crypto/ed25519+
-        crypto/rc4                                                   from crypto/tls
-        crypto/rsa                                                   from crypto/tls+
-        crypto/sha1                                                  from crypto/tls+
-        crypto/sha256                                                from crypto/tls+
-        crypto/sha512                                                from crypto/ecdsa+
-        crypto/subtle                                                from crypto/aes+
-        crypto/tls                                                   from golang.org/x/crypto/acme+
-        crypto/x509                                                  from crypto/tls+
-        crypto/x509/pkix                                             from crypto/x509+
-        embed                                                        from crypto/internal/nistec+
-        encoding                                                     from encoding/json+
-        encoding/asn1                                                from crypto/x509+
-        encoding/base32                                              from tailscale.com/tka
-        encoding/base64                                              from encoding/json+
-        encoding/binary                                              from compress/gzip+
-        encoding/hex                                                 from crypto/x509+
-        encoding/json                                                from expvar+
-        encoding/pem                                                 from crypto/tls+
-        errors                                                       from bufio+
-        expvar                                                       from tailscale.com/cmd/derper+
-        flag                                                         from tailscale.com/cmd/derper
-        fmt                                                          from compress/flate+
-        go/token                                                     from google.golang.org/protobuf/internal/strs
-        hash                                                         from crypto+
-        hash/crc32                                                   from compress/gzip+
-        hash/fnv                                                     from google.golang.org/protobuf/internal/detrand
-        hash/maphash                                                 from go4.org/mem
-        html                                                         from net/http/pprof+
-        io                                                           from bufio+
-        io/fs                                                        from crypto/x509+
-        io/ioutil                                                    from github.com/mitchellh/go-ps+
-        log                                                          from expvar+
-        log/internal                                                 from log
-        maps                                                         from tailscale.com/types/views+
-        math                                                         from compress/flate+
-        math/big                                                     from crypto/dsa+
-        math/bits                                                    from compress/flate+
-        math/rand                                                    from github.com/mdlayher/netlink+
-        mime                                                         from mime/multipart+
-        mime/multipart                                               from net/http
-        mime/quotedprintable                                         from mime/multipart
-        net                                                          from crypto/tls+
-        net/http                                                     from expvar+
-        net/http/httptrace                                           from net/http+
-        net/http/internal                                            from net/http
-        net/http/pprof                                               from tailscale.com/tsweb+
-        net/netip                                                    from go4.org/netipx+
-        net/textproto                                                from golang.org/x/net/http/httpguts+
-        net/url                                                      from crypto/x509+
-        os                                                           from crypto/rand+
-        os/exec                                                      from golang.zx2c4.com/wireguard/windows/tunnel/winipcfg+
-   W    os/user                                                      from tailscale.com/util/winutil
-        path                                                         from golang.org/x/crypto/acme/autocert+
-        path/filepath                                                from crypto/x509+
-        reflect                                                      from crypto/x509+
-        regexp                                                       from internal/profile+
-        regexp/syntax                                                from regexp
-        runtime/debug                                                from golang.org/x/crypto/acme+
-        runtime/metrics                                              from github.com/prometheus/client_golang/prometheus+
-        runtime/pprof                                                from net/http/pprof
-        runtime/trace                                                from net/http/pprof
-        slices                                                       from tailscale.com/ipn+
-        sort                                                         from compress/flate+
-        strconv                                                      from compress/flate+
-        strings                                                      from bufio+
-        sync                                                         from compress/flate+
-        sync/atomic                                                  from context+
-        syscall                                                      from crypto/rand+
-        text/tabwriter                                               from runtime/pprof
-        time                                                         from compress/gzip+
-        unicode                                                      from bytes+
-        unicode/utf16                                                from crypto/x509+
-        unicode/utf8                                                 from bufio+

cmd/derper/derper.go

@@ -1,106 +1,66 @@
-// Copyright (c) Tailscale Inc & AUTHORS
-// SPDX-License-Identifier: BSD-3-Clause
+// Copyright (c) 2020 Tailscale Inc & AUTHORS All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
 
 // The derper binary is a simple DERP server.
 package main // import "tailscale.com/cmd/derper"
 
 import (
 	"context"
-	"crypto/tls"
 	"encoding/json"
 	"errors"
 	"expvar"
 	"flag"
 	"fmt"
 	"io"
+	"io/ioutil"
 	"log"
-	"math"
 	"net"
 	"net/http"
-	"net/netip"
 	"os"
 	"path/filepath"
 	"regexp"
 	"strings"
 	"time"
 
-	"go4.org/mem"
-	"golang.org/x/time/rate"
+	"github.com/tailscale/wireguard-go/wgcfg"
+	"golang.org/x/crypto/acme/autocert"
 	"tailscale.com/atomicfile"
 	"tailscale.com/derp"
 	"tailscale.com/derp/derphttp"
+	"tailscale.com/logpolicy"
 	"tailscale.com/metrics"
 	"tailscale.com/net/stun"
 	"tailscale.com/tsweb"
 	"tailscale.com/types/key"
-	"tailscale.com/util/cmpx"
 )
 
 var (
-	dev        = flag.Bool("dev", false, "run in localhost development mode (overrides -a)")
-	addr       = flag.String("a", ":443", "server HTTP/HTTPS listen address, in form \":port\", \"ip:port\", or for IPv6 \"[ip]:port\". If the IP is omitted, it defaults to all interfaces. Serves HTTPS if the port is 443 and/or -certmode is manual, otherwise HTTP.")
-	httpPort   = flag.Int("http-port", 80, "The port on which to serve HTTP. Set to -1 to disable. The listener is bound to the same IP (if any) as specified in the -a flag.")
-	stunPort   = flag.Int("stun-port", 3478, "The UDP port on which to serve STUN. The listener is bound to the same IP (if any) as specified in the -a flag.")
-	configPath = flag.String("c", "", "config file path")
-	certMode   = flag.String("certmode", "letsencrypt", "mode for getting a cert. possible options: manual, letsencrypt")
-	certDir    = flag.String("certdir", tsweb.DefaultCertDir("derper-certs"), "directory to store LetsEncrypt certs, if addr's port is :443")
-	hostname   = flag.String("hostname", "derp.tailscale.com", "LetsEncrypt host name, if addr's port is :443")
-	runSTUN    = flag.Bool("stun", true, "whether to run a STUN server. It will bind to the same IP (if any) as the --addr flag value.")
-	runDERP    = flag.Bool("derp", true, "whether to run a DERP server. The only reason to set this false is if you're decommissioning a server but want to keep its bootstrap DNS functionality still running.")
-
-	meshPSKFile    = flag.String("mesh-psk-file", defaultMeshPSKFile(), "if non-empty, path to file containing the mesh pre-shared key file. It should contain some hex string; whitespace is trimmed.")
-	meshWith       = flag.String("mesh-with", "", "optional comma-separated list of hostnames to mesh with; the server's own hostname can be in the list")
-	bootstrapDNS   = flag.String("bootstrap-dns-names", "", "optional comma-separated list of hostnames to make available at /bootstrap-dns")
-	unpublishedDNS = flag.String("unpublished-bootstrap-dns-names", "", "optional comma-separated list of hostnames to make available at /bootstrap-dns and not publish in the list")
-	verifyClients  = flag.Bool("verify-clients", false, "verify clients to this DERP server through a local tailscaled instance.")
-
-	acceptConnLimit = flag.Float64("accept-connection-limit", math.Inf(+1), "rate limit for accepting new connection")
-	acceptConnBurst = flag.Int("accept-connection-burst", math.MaxInt, "burst limit for accepting new connection")
+	dev           = flag.Bool("dev", false, "run in localhost development mode")
+	addr          = flag.String("a", ":443", "server address")
+	configPath    = flag.String("c", "", "config file path")
+	certDir       = flag.String("certdir", tsweb.DefaultCertDir("derper-certs"), "directory to store LetsEncrypt certs, if addr's port is :443")
+	hostname      = flag.String("hostname", "derp.tailscale.com", "LetsEncrypt host name, if addr's port is :443")
+	logCollection = flag.String("logcollection", "", "If non-empty, logtail collection to log to")
+	runSTUN       = flag.Bool("stun", false, "also run a STUN server")
+	meshPSKFile   = flag.String("mesh-psk-file", defaultMeshPSKFile(), "if non-empty, path to file containing the mesh pre-shared key file. It should contain some hex string; whitespace is trimmed.")
+	meshWith      = flag.String("mesh-with", "", "optional comma-separated list of hostnames to mesh with; the server's own hostname can be in the list")
 )
 
-var (
-	stats             = new(metrics.Set)
-	stunDisposition   = &metrics.LabelMap{Label: "disposition"}
-	stunAddrFamily    = &metrics.LabelMap{Label: "family"}
-	tlsRequestVersion = &metrics.LabelMap{Label: "version"}
-	tlsActiveVersion  = &metrics.LabelMap{Label: "version"}
-
-	stunReadError  = stunDisposition.Get("read_error")
-	stunNotSTUN    = stunDisposition.Get("not_stun")
-	stunWriteError = stunDisposition.Get("write_error")
-	stunSuccess    = stunDisposition.Get("success")
-
-	stunIPv4 = stunAddrFamily.Get("ipv4")
-	stunIPv6 = stunAddrFamily.Get("ipv6")
-)
-
-func init() {
-	stats.Set("counter_requests", stunDisposition)
-	stats.Set("counter_addrfamily", stunAddrFamily)
-	expvar.Publish("stun", stats)
-	expvar.Publish("derper_tls_request_version", tlsRequestVersion)
-	expvar.Publish("gauge_derper_tls_active_version", tlsActiveVersion)
-}
-
 type config struct {
-	PrivateKey key.NodePrivate
+	PrivateKey wgcfg.PrivateKey
 }
 
 func loadConfig() config {
 	if *dev {
-		return config{PrivateKey: key.NewNode()}
+		return config{PrivateKey: mustNewKey()}
 	}
 	if *configPath == "" {
-		if os.Getuid() == 0 {
-			*configPath = "/var/lib/derper/derper.key"
-		} else {
-			log.Fatalf("derper: -c <config path> not specified")
-		}
-		log.Printf("no config path specified; using %s", *configPath)
+		log.Fatalf("derper: -c <config path> not specified")
 	}
-	b, err := os.ReadFile(*configPath)
+	b, err := ioutil.ReadFile(*configPath)
 	switch {
-	case errors.Is(err, os.ErrNotExist):
+	case os.IsNotExist(err):
 		return writeNewConfig()
 	case err != nil:
 		log.Fatal(err)
@@ -114,19 +74,27 @@ func loadConfig() config {
 	}
 }
 
+func mustNewKey() wgcfg.PrivateKey {
+	key, err := wgcfg.NewPrivateKey()
+	if err != nil {
+		log.Fatal(err)
+	}
+	return key
+}
+
 func writeNewConfig() config {
-	k := key.NewNode()
+	key := mustNewKey()
 	if err := os.MkdirAll(filepath.Dir(*configPath), 0777); err != nil {
 		log.Fatal(err)
 	}
 	cfg := config{
-		PrivateKey: k,
+		PrivateKey: key,
 	}
 	b, err := json.MarshalIndent(cfg, "", "\t")
 	if err != nil {
 		log.Fatal(err)
 	}
-	if err := atomicfile.WriteFile(*configPath, b, 0600); err != nil {
+	if err := atomicfile.WriteFile(*configPath, b, 0666); err != nil {
 		log.Fatal(err)
 	}
 	return cfg
@@ -136,25 +104,26 @@ func main() {
 	flag.Parse()
 
 	if *dev {
+		*logCollection = ""
 		*addr = ":3340" // above the keys DERP
 		log.Printf("Running in dev mode.")
 		tsweb.DevMode = true
 	}
 
-	listenHost, _, err := net.SplitHostPort(*addr)
-	if err != nil {
-		log.Fatalf("invalid server address: %v", err)
+	var logPol *logpolicy.Policy
+	if *logCollection != "" {
+		logPol = logpolicy.New(*logCollection)
+		log.SetOutput(logPol.Logtail)
 	}
 
 	cfg := loadConfig()
 
-	serveTLS := tsweb.IsProd443(*addr) || *certMode == "manual"
+	letsEncrypt := tsweb.IsProd443(*addr)
 
-	s := derp.NewServer(cfg.PrivateKey, log.Printf)
-	s.SetVerifyClient(*verifyClients)
+	s := derp.NewServer(key.Private(cfg.PrivateKey), log.Printf)
 
 	if *meshPSKFile != "" {
-		b, err := os.ReadFile(*meshPSKFile)
+		b, err := ioutil.ReadFile(*meshPSKFile)
 		if err != nil {
 			log.Fatal(err)
 		}
@@ -170,21 +139,10 @@ func main() {
 	}
 	expvar.Publish("derp", s.ExpVar())
 
-	mux := http.NewServeMux()
-	if *runDERP {
-		derpHandler := derphttp.Handler(s)
-		derpHandler = addWebSocketSupport(s, derpHandler)
-		mux.Handle("/derp", derpHandler)
-	} else {
-		mux.Handle("/derp", http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-			http.Error(w, "derp server disabled", http.StatusNotFound)
-		}))
-	}
-	mux.HandleFunc("/derp/probe", probeHandler)
-	go refreshBootstrapDNSLoop()
-	mux.HandleFunc("/bootstrap-dns", tsweb.BrowserHeaderHandlerFunc(handleBootstrapDNS))
+	// Create our own mux so we don't expose /debug/ stuff to the world.
+	mux := tsweb.NewMux(debugHandler(s))
+	mux.Handle("/derp", derphttp.Handler(s))
 	mux.Handle("/", http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		tsweb.AddBrowserHeaders(w)
 		w.Header().Set("Content-Type", "text/html; charset=utf-8")
 		w.WriteHeader(200)
 		io.WriteString(w, `<html><body>
@@ -192,120 +150,49 @@ func main() {
 <p>
   This is a
   <a href="https://tailscale.com/">Tailscale</a>
-  <a href="https://pkg.go.dev/tailscale.com/derp">DERP</a>
+  <a href="https://godoc.org/tailscale.com/derp">DERP</a>
   server.
 </p>
 `)
-		if !*runDERP {
-			io.WriteString(w, `<p>Status: <b>disabled</b></p>`)
-		}
 		if tsweb.AllowDebugAccess(r) {
 			io.WriteString(w, "<p>Debug info at <a href='/debug/'>/debug/</a>.</p>\n")
 		}
 	}))
-	mux.Handle("/robots.txt", http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		tsweb.AddBrowserHeaders(w)
-		io.WriteString(w, "User-agent: *\nDisallow: /\n")
-	}))
-	mux.Handle("/generate_204", http.HandlerFunc(serveNoContent))
-	debug := tsweb.Debugger(mux)
-	debug.KV("TLS hostname", *hostname)
-	debug.KV("Mesh key", s.HasMeshKey())
-	debug.Handle("check", "Consistency check", http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		err := s.ConsistencyCheck()
-		if err != nil {
-			http.Error(w, err.Error(), 500)
-		} else {
-			io.WriteString(w, "derp.Server ConsistencyCheck okay")
-		}
-	}))
-	debug.Handle("traffic", "Traffic check", http.HandlerFunc(s.ServeDebugTraffic))
 
 	if *runSTUN {
-		go serveSTUN(listenHost, *stunPort)
+		go serveSTUN()
 	}
 
-	quietLogger := log.New(logFilter{}, "", 0)
 	httpsrv := &http.Server{
-		Addr:     *addr,
-		Handler:  mux,
-		ErrorLog: quietLogger,
-
-		// Set read/write timeout. For derper, this basically
-		// only affects TLS setup, as read/write deadlines are
-		// cleared on Hijack, which the DERP server does. But
-		// without this, we slowly accumulate stuck TLS
-		// handshake goroutines forever. This also affects
-		// /debug/ traffic, but 30 seconds is plenty for
-		// Prometheus/etc scraping.
-		ReadTimeout:  30 * time.Second,
-		WriteTimeout: 30 * time.Second,
+		Addr:    *addr,
+		Handler: mux,
 	}
 
-	if serveTLS {
+	var err error
+	if letsEncrypt {
+		if *certDir == "" {
+			log.Fatalf("missing required --certdir flag")
+		}
 		log.Printf("derper: serving on %s with TLS", *addr)
-		var certManager certProvider
-		certManager, err = certProviderByCertMode(*certMode, *certDir, *hostname)
-		if err != nil {
-			log.Fatalf("derper: can not start cert provider: %v", err)
+		certManager := &autocert.Manager{
+			Prompt:     autocert.AcceptTOS,
+			HostPolicy: autocert.HostWhitelist(*hostname),
+			Cache:      autocert.DirCache(*certDir),
+		}
+		if *hostname == "derp.tailscale.com" {
+			certManager.HostPolicy = prodAutocertHostPolicy
+			certManager.Email = "security@tailscale.com"
 		}
 		httpsrv.TLSConfig = certManager.TLSConfig()
-		getCert := httpsrv.TLSConfig.GetCertificate
-		httpsrv.TLSConfig.GetCertificate = func(hi *tls.ClientHelloInfo) (*tls.Certificate, error) {
-			cert, err := getCert(hi)
+		go func() {
+			err := http.ListenAndServe(":80", certManager.HTTPHandler(tsweb.Port80Handler{Main: mux}))
 			if err != nil {
-				return nil, err
+				if err != http.ErrServerClosed {
+					log.Fatal(err)
+				}
 			}
-			cert.Certificate = append(cert.Certificate, s.MetaCert())
-			return cert, nil
-		}
-		// Disable TLS 1.0 and 1.1, which are obsolete and have security issues.
-		httpsrv.TLSConfig.MinVersion = tls.VersionTLS12
-		httpsrv.Handler = http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-			if r.TLS != nil {
-				label := "unknown"
-				switch r.TLS.Version {
-				case tls.VersionTLS10:
-					label = "1.0"
-				case tls.VersionTLS11:
-					label = "1.1"
-				case tls.VersionTLS12:
-					label = "1.2"
-				case tls.VersionTLS13:
-					label = "1.3"
-				}
-				tlsRequestVersion.Add(label, 1)
-				tlsActiveVersion.Add(label, 1)
-				defer tlsActiveVersion.Add(label, -1)
-			}
-
-			mux.ServeHTTP(w, r)
-		})
-		if *httpPort > -1 {
-			go func() {
-				port80mux := http.NewServeMux()
-				port80mux.HandleFunc("/generate_204", serveNoContent)
-				port80mux.Handle("/", certManager.HTTPHandler(tsweb.Port80Handler{Main: mux}))
-				port80srv := &http.Server{
-					Addr:        net.JoinHostPort(listenHost, fmt.Sprintf("%d", *httpPort)),
-					Handler:     port80mux,
-					ErrorLog:    quietLogger,
-					ReadTimeout: 30 * time.Second,
-					// Crank up WriteTimeout a bit more than usually
-					// necessary just so we can do long CPU profiles
-					// and not hit net/http/pprof's "profile
-					// duration exceeds server's WriteTimeout".
-					WriteTimeout: 5 * time.Minute,
-				}
-				err := port80srv.ListenAndServe()
-				if err != nil {
-					if err != http.ErrServerClosed {
-						log.Fatal(err)
-					}
-				}
-			}()
-		}
-		err = rateLimitedListenAndServeTLS(httpsrv)
+		}()
+		err = httpsrv.ListenAndServeTLS("", "")
 	} else {
 		log.Printf("derper: serving on %s", *addr)
 		err = httpsrv.ListenAndServe()
@@ -315,69 +202,77 @@ func main() {
 	}
 }
 
-const (
-	noContentChallengeHeader = "X-Tailscale-Challenge"
-	noContentResponseHeader  = "X-Tailscale-Response"
-)
-
-// For captive portal detection
-func serveNoContent(w http.ResponseWriter, r *http.Request) {
-	if challenge := r.Header.Get(noContentChallengeHeader); challenge != "" {
-		badChar := strings.IndexFunc(challenge, func(r rune) bool {
-			return !isChallengeChar(r)
-		}) != -1
-		if len(challenge) <= 64 && !badChar {
-			w.Header().Set(noContentResponseHeader, "response "+challenge)
+func debugHandler(s *derp.Server) http.Handler {
+	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		if r.RequestURI == "/debug/check" {
+			err := s.ConsistencyCheck()
+			if err != nil {
+				http.Error(w, err.Error(), 500)
+			} else {
+				io.WriteString(w, "derp.Server ConsistencyCheck okay")
+			}
+			return
 		}
-	}
-	w.WriteHeader(http.StatusNoContent)
+		f := func(format string, args ...interface{}) { fmt.Fprintf(w, format, args...) }
+		f(`<html><body>
+<h1>DERP debug</h1>
+<ul>
+`)
+		f("<li><b>Hostname:</b> %v</li>\n", *hostname)
+		f("<li><b>Uptime:</b> %v</li>\n", tsweb.Uptime())
+		f("<li><b>Mesh Key:</b> %v</li>\n", s.HasMeshKey())
+
+		f(`<li><a href="/debug/vars">/debug/vars</a> (Go)</li>
+   <li><a href="/debug/varz">/debug/varz</a> (Prometheus)</li>
+   <li><a href="/debug/pprof/">/debug/pprof/</a></li>
+   <li><a href="/debug/pprof/goroutine?debug=1">/debug/pprof/goroutine</a> (collapsed)</li>
+   <li><a href="/debug/pprof/goroutine?debug=2">/debug/pprof/goroutine</a> (full)</li>
+   <li><a href="/debug/check">/debug/check</a> internal consistency check</li>
+<ul>
+</html>
+`)
+	})
 }
 
-func isChallengeChar(c rune) bool {
-	// Semi-randomly chosen as a limited set of valid characters
-	return ('a' <= c && c <= 'z') || ('A' <= c && c <= 'Z') ||
-		('0' <= c && c <= '9') ||
-		c == '.' || c == '-' || c == '_'
-}
-
-// probeHandler is the endpoint that js/wasm clients hit to measure
-// DERP latency, since they can't do UDP STUN queries.
-func probeHandler(w http.ResponseWriter, r *http.Request) {
-	switch r.Method {
-	case "HEAD", "GET":
-		w.Header().Set("Access-Control-Allow-Origin", "*")
-	default:
-		http.Error(w, "bogus probe method", http.StatusMethodNotAllowed)
-	}
-}
-
-func serveSTUN(host string, port int) {
-	pc, err := net.ListenPacket("udp", net.JoinHostPort(host, fmt.Sprint(port)))
+func serveSTUN() {
+	pc, err := net.ListenPacket("udp", ":3478")
 	if err != nil {
 		log.Fatalf("failed to open STUN listener: %v", err)
 	}
 	log.Printf("running STUN server on %v", pc.LocalAddr())
-	serverSTUNListener(context.Background(), pc.(*net.UDPConn))
-}
 
-func serverSTUNListener(ctx context.Context, pc *net.UDPConn) {
-	var buf [64 << 10]byte
 	var (
-		n   int
-		ua  *net.UDPAddr
-		err error
+		stats           = new(metrics.Set)
+		stunDisposition = &metrics.LabelMap{Label: "disposition"}
+		stunAddrFamily  = &metrics.LabelMap{Label: "family"}
+
+		stunReadError  = stunDisposition.Get("read_error")
+		stunNotSTUN    = stunDisposition.Get("not_stun")
+		stunWriteError = stunDisposition.Get("write_error")
+		stunSuccess    = stunDisposition.Get("success")
+
+		stunIPv4 = stunAddrFamily.Get("ipv4")
+		stunIPv6 = stunAddrFamily.Get("ipv6")
 	)
+	stats.Set("counter_requests", stunDisposition)
+	stats.Set("counter_addrfamily", stunAddrFamily)
+	expvar.Publish("stun", stats)
+
+	var buf [64 << 10]byte
 	for {
-		n, ua, err = pc.ReadFromUDP(buf[:])
+		n, addr, err := pc.ReadFrom(buf[:])
 		if err != nil {
-			if ctx.Err() != nil {
-				return
-			}
 			log.Printf("STUN ReadFrom: %v", err)
 			time.Sleep(time.Second)
 			stunReadError.Add(1)
 			continue
 		}
+		ua, ok := addr.(*net.UDPAddr)
+		if !ok {
+			log.Printf("STUN unexpected address %T %v", addr, addr)
+			stunReadError.Add(1)
+			continue
+		}
 		pkt := buf[:n]
 		if !stun.Is(pkt) {
 			stunNotSTUN.Add(1)
@@ -393,9 +288,8 @@ func serverSTUNListener(ctx context.Context, pc *net.UDPConn) {
 		} else {
 			stunIPv6.Add(1)
 		}
-		addr, _ := netip.AddrFromSlice(ua.IP)
-		res := stun.Response(txid, netip.AddrPortFrom(addr, uint16(ua.Port)))
-		_, err = pc.WriteTo(res, ua)
+		res := stun.Response(txid, ua.IP, uint16(ua.Port))
+		_, err = pc.WriteTo(res, addr)
 		if err != nil {
 			stunWriteError.Add(1)
 		} else {
@@ -425,78 +319,3 @@ func defaultMeshPSKFile() string {
 	}
 	return ""
 }
-
-func rateLimitedListenAndServeTLS(srv *http.Server) error {
-	ln, err := net.Listen("tcp", cmpx.Or(srv.Addr, ":https"))
-	if err != nil {
-		return err
-	}
-	rln := newRateLimitedListener(ln, rate.Limit(*acceptConnLimit), *acceptConnBurst)
-	expvar.Publish("tls_listener", rln.ExpVar())
-	defer rln.Close()
-	return srv.ServeTLS(rln, "", "")
-}
-
-type rateLimitedListener struct {
-	// These are at the start of the struct to ensure 64-bit alignment
-	// on 32-bit architecture regardless of what other fields may exist
-	// in this package.
-	numAccepts expvar.Int // does not include number of rejects
-	numRejects expvar.Int
-
-	net.Listener
-
-	lim *rate.Limiter
-}
-
-func newRateLimitedListener(ln net.Listener, limit rate.Limit, burst int) *rateLimitedListener {
-	return &rateLimitedListener{Listener: ln, lim: rate.NewLimiter(limit, burst)}
-}
-
-func (l *rateLimitedListener) ExpVar() expvar.Var {
-	m := new(metrics.Set)
-	m.Set("counter_accepted_connections", &l.numAccepts)
-	m.Set("counter_rejected_connections", &l.numRejects)
-	return m
-}
-
-var errLimitedConn = errors.New("cannot accept connection; rate limited")
-
-func (l *rateLimitedListener) Accept() (net.Conn, error) {
-	// Even under a rate limited situation, we accept the connection immediately
-	// and close it, rather than being slow at accepting new connections.
-	// This provides two benefits: 1) it signals to the client that something
-	// is going on on the server, and 2) it prevents new connections from
-	// piling up and occupying resources in the OS kernel.
-	// The client will retry as needing (with backoffs in place).
-	cn, err := l.Listener.Accept()
-	if err != nil {
-		return nil, err
-	}
-	if !l.lim.Allow() {
-		l.numRejects.Add(1)
-		cn.Close()
-		return nil, errLimitedConn
-	}
-	l.numAccepts.Add(1)
-	return cn, nil
-}
-
-// logFilter is used to filter out useless error logs that are logged to
-// the net/http.Server.ErrorLog logger.
-type logFilter struct{}
-
-func (logFilter) Write(p []byte) (int, error) {
-	b := mem.B(p)
-	if mem.HasSuffix(b, mem.S(": EOF\n")) ||
-		mem.HasSuffix(b, mem.S(": i/o timeout\n")) ||
-		mem.HasSuffix(b, mem.S(": read: connection reset by peer\n")) ||
-		mem.HasSuffix(b, mem.S(": remote error: tls: bad certificate\n")) ||
-		mem.HasSuffix(b, mem.S(": tls: first record does not look like a TLS handshake\n")) {
-		// Skip this log message, but say that we processed it
-		return len(p), nil
-	}
-
-	log.Printf("%s", p)
-	return len(p), nil
-}

cmd/derper/derper_test.go

@@ -1,17 +1,12 @@
-// Copyright (c) Tailscale Inc & AUTHORS
-// SPDX-License-Identifier: BSD-3-Clause
+// Copyright (c) 2020 Tailscale Inc & AUTHORS All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
 
 package main
 
 import (
 	"context"
-	"net"
-	"net/http"
-	"net/http/httptest"
-	"strings"
 	"testing"
-
-	"tailscale.com/net/stun"
 )
 
 func TestProdAutocertHostPolicy(t *testing.T) {
@@ -36,95 +31,5 @@ func TestProdAutocertHostPolicy(t *testing.T) {
 			t.Errorf("f(%q) = %v; want %v", tt.in, got, tt.wantOK)
 		}
 	}
-}
-
-func BenchmarkServerSTUN(b *testing.B) {
-	b.ReportAllocs()
-	pc, err := net.ListenPacket("udp", "127.0.0.1:0")
-	if err != nil {
-		b.Fatal(err)
-	}
-	defer pc.Close()
-	ctx, cancel := context.WithCancel(context.Background())
-	defer cancel()
-	go serverSTUNListener(ctx, pc.(*net.UDPConn))
-	addr := pc.LocalAddr().(*net.UDPAddr)
-
-	var resBuf [1500]byte
-	cc, err := net.ListenUDP("udp", &net.UDPAddr{IP: net.ParseIP("127.0.0.1")})
-	if err != nil {
-		b.Fatal(err)
-	}
-
-	tx := stun.NewTxID()
-	req := stun.Request(tx)
-	for i := 0; i < b.N; i++ {
-		if _, err := cc.WriteToUDP(req, addr); err != nil {
-			b.Fatal(err)
-		}
-		_, _, err := cc.ReadFromUDP(resBuf[:])
-		if err != nil {
-			b.Fatal(err)
-		}
-	}
 
 }
-
-func TestNoContent(t *testing.T) {
-	testCases := []struct {
-		name  string
-		input string
-		want  string
-	}{
-		{
-			name: "no challenge",
-		},
-		{
-			name:  "valid challenge",
-			input: "input",
-			want:  "response input",
-		},
-		{
-			name:  "valid challenge hostname",
-			input: "ts_derp99b.tailscale.com",
-			want:  "response ts_derp99b.tailscale.com",
-		},
-		{
-			name:  "invalid challenge",
-			input: "foo\x00bar",
-			want:  "",
-		},
-		{
-			name:  "whitespace invalid challenge",
-			input: "foo bar",
-			want:  "",
-		},
-		{
-			name:  "long challenge",
-			input: strings.Repeat("x", 65),
-			want:  "",
-		},
-	}
-	for _, tt := range testCases {
-		t.Run(tt.name, func(t *testing.T) {
-			req, _ := http.NewRequest("GET", "https://localhost/generate_204", nil)
-			if tt.input != "" {
-				req.Header.Set(noContentChallengeHeader, tt.input)
-			}
-			w := httptest.NewRecorder()
-			serveNoContent(w, req)
-			resp := w.Result()
-
-			if tt.want == "" {
-				if h, found := resp.Header[noContentResponseHeader]; found {
-					t.Errorf("got %+v; expected no response header", h)
-				}
-				return
-			}
-
-			if got := resp.Header.Get(noContentResponseHeader); got != tt.want {
-				t.Errorf("got %q; want %q", got, tt.want)
-			}
-		})
-	}
-}

cmd/derper/mesh.go

@@ -1,17 +1,14 @@
-// Copyright (c) Tailscale Inc & AUTHORS
-// SPDX-License-Identifier: BSD-3-Clause
+// Copyright (c) 2020 Tailscale Inc & AUTHORS All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
 
 package main
 
 import (
-	"context"
 	"errors"
 	"fmt"
 	"log"
-	"net"
-	"net/netip"
 	"strings"
-	"time"
 
 	"tailscale.com/derp"
 	"tailscale.com/derp/derphttp"
@@ -41,35 +38,8 @@ func startMeshWithHost(s *derp.Server, host string) error {
 		return err
 	}
 	c.MeshKey = s.MeshKey()
-
-	// For meshed peers within a region, connect via VPC addresses.
-	c.SetURLDialer(func(ctx context.Context, network, addr string) (net.Conn, error) {
-		host, port, err := net.SplitHostPort(addr)
-		if err != nil {
-			return nil, err
-		}
-		var d net.Dialer
-		var r net.Resolver
-		if base, ok := strings.CutSuffix(host, ".tailscale.com"); ok && port == "443" {
-			subCtx, cancel := context.WithTimeout(ctx, 2*time.Second)
-			defer cancel()
-			vpcHost := base + "-vpc.tailscale.com"
-			ips, _ := r.LookupIP(subCtx, "ip", vpcHost)
-			if len(ips) > 0 {
-				vpcAddr := net.JoinHostPort(ips[0].String(), port)
-				c, err := d.DialContext(subCtx, network, vpcAddr)
-				if err == nil {
-					log.Printf("connected to %v (%v) instead of %v", vpcHost, ips[0], base)
-					return c, nil
-				}
-				log.Printf("failed to connect to %v (%v): %v; trying non-VPC route", vpcHost, ips[0], err)
-			}
-		}
-		return d.DialContext(ctx, network, addr)
-	})
-
-	add := func(k key.NodePublic, _ netip.AddrPort) { s.AddPacketForwarder(k, c) }
-	remove := func(k key.NodePublic) { s.RemovePacketForwarder(k, c) }
-	go c.RunWatchConnectionLoop(context.Background(), s.PublicKey(), logf, add, remove)
+	add := func(k key.Public) { s.AddPacketForwarder(k, c) }
+	remove := func(k key.Public) { s.RemovePacketForwarder(k, c) }
+	go c.RunWatchConnectionLoop(s.PublicKey(), add, remove)
 	return nil
 }

cmd/derper/websocket.go

@@ -1,57 +0,0 @@
-// Copyright (c) Tailscale Inc & AUTHORS
-// SPDX-License-Identifier: BSD-3-Clause
-
-package main
-
-import (
-	"bufio"
-	"expvar"
-	"log"
-	"net/http"
-	"strings"
-
-	"nhooyr.io/websocket"
-	"tailscale.com/derp"
-	"tailscale.com/net/wsconn"
-)
-
-var counterWebSocketAccepts = expvar.NewInt("derp_websocket_accepts")
-
-// addWebSocketSupport returns a Handle wrapping base that adds WebSocket server support.
-func addWebSocketSupport(s *derp.Server, base http.Handler) http.Handler {
-	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		up := strings.ToLower(r.Header.Get("Upgrade"))
-
-		// Very early versions of Tailscale set "Upgrade: WebSocket" but didn't actually
-		// speak WebSockets (they still assumed DERP's binary framing). So to distinguish
-		// clients that actually want WebSockets, look for an explicit "derp" subprotocol.
-		if up != "websocket" || !strings.Contains(r.Header.Get("Sec-Websocket-Protocol"), "derp") {
-			base.ServeHTTP(w, r)
-			return
-		}
-
-		c, err := websocket.Accept(w, r, &websocket.AcceptOptions{
-			Subprotocols:   []string{"derp"},
-			OriginPatterns: []string{"*"},
-			// Disable compression because we transmit WireGuard messages that
-			// are not compressible.
-			// Additionally, Safari has a broken implementation of compression
-			// (see https://github.com/nhooyr/websocket/issues/218) that makes
-			// enabling it actively harmful.
-			CompressionMode: websocket.CompressionDisabled,
-		})
-		if err != nil {
-			log.Printf("websocket.Accept: %v", err)
-			return
-		}
-		defer c.Close(websocket.StatusInternalError, "closing")
-		if c.Subprotocol() != "derp" {
-			c.Close(websocket.StatusPolicyViolation, "client must speak the derp subprotocol")
-			return
-		}
-		counterWebSocketAccepts.Add(1)
-		wc := wsconn.NetConn(r.Context(), c, websocket.MessageBinary)
-		brw := bufio.NewReadWriter(bufio.NewReader(wc), bufio.NewWriter(wc))
-		s.Accept(r.Context(), wc, brw, r.RemoteAddr)
-	})
-}

cmd/derpprobe/derpprobe.go

@@ -1,110 +0,0 @@
-// Copyright (c) Tailscale Inc & AUTHORS
-// SPDX-License-Identifier: BSD-3-Clause
-
-// The derpprobe binary probes derpers.
-package main
-
-import (
-	"flag"
-	"fmt"
-	"html"
-	"io"
-	"log"
-	"net/http"
-	"sort"
-	"time"
-
-	"tailscale.com/prober"
-	"tailscale.com/tsweb"
-)
-
-var (
-	derpMapURL = flag.String("derp-map", "https://login.tailscale.com/derpmap/default", "URL to DERP map (https:// or file://)")
-	listen     = flag.String("listen", ":8030", "HTTP listen address")
-	probeOnce  = flag.Bool("once", false, "probe once and print results, then exit; ignores the listen flag")
-	spread     = flag.Bool("spread", true, "whether to spread probing over time")
-	interval   = flag.Duration("interval", 15*time.Second, "probe interval")
-)
-
-func main() {
-	flag.Parse()
-
-	p := prober.New().WithSpread(*spread).WithOnce(*probeOnce).WithMetricNamespace("derpprobe")
-	dp, err := prober.DERP(p, *derpMapURL, *interval, *interval, *interval)
-	if err != nil {
-		log.Fatal(err)
-	}
-	p.Run("derpmap-probe", *interval, nil, dp.ProbeMap)
-
-	if *probeOnce {
-		log.Printf("Waiting for all probes (may take up to 1m)")
-		p.Wait()
-
-		st := getOverallStatus(p)
-		for _, s := range st.good {
-			log.Printf("good: %s", s)
-		}
-		for _, s := range st.bad {
-			log.Printf("bad: %s", s)
-		}
-		return
-	}
-
-	mux := http.NewServeMux()
-	tsweb.Debugger(mux)
-	mux.HandleFunc("/", http.HandlerFunc(serveFunc(p)))
-	log.Fatal(http.ListenAndServe(*listen, mux))
-}
-
-type overallStatus struct {
-	good, bad []string
-}
-
-func (st *overallStatus) addBadf(format string, a ...any) {
-	st.bad = append(st.bad, fmt.Sprintf(format, a...))
-}
-
-func (st *overallStatus) addGoodf(format string, a ...any) {
-	st.good = append(st.good, fmt.Sprintf(format, a...))
-}
-
-func getOverallStatus(p *prober.Prober) (o overallStatus) {
-	for p, i := range p.ProbeInfo() {
-		if i.End.IsZero() {
-			// Do not show probes that have not finished yet.
-			continue
-		}
-		if i.Result {
-			o.addGoodf("%s: %s", p, i.Latency)
-		} else {
-			o.addBadf("%s: %s", p, i.Error)
-		}
-	}
-
-	sort.Strings(o.bad)
-	sort.Strings(o.good)
-	return
-}
-
-func serveFunc(p *prober.Prober) func(w http.ResponseWriter, r *http.Request) {
-	return func(w http.ResponseWriter, r *http.Request) {
-		st := getOverallStatus(p)
-		summary := "All good"
-		if (float64(len(st.bad)) / float64(len(st.bad)+len(st.good))) > 0.25 {
-			// Returning a 500 allows monitoring this server externally and configuring
-			// an alert on HTTP response code.
-			w.WriteHeader(500)
-			summary = fmt.Sprintf("%d problems", len(st.bad))
-		}
-
-		io.WriteString(w, "<html><head><style>.bad { font-weight: bold; color: #700; }</style></head>\n")
-		fmt.Fprintf(w, "<body><h1>derp probe</h1>\n%s:<ul>", summary)
-		for _, s := range st.bad {
-			fmt.Fprintf(w, "<li class=bad>%s</li>\n", html.EscapeString(s))
-		}
-		for _, s := range st.good {
-			fmt.Fprintf(w, "<li>%s</li>\n", html.EscapeString(s))
-		}
-		io.WriteString(w, "</ul></body></html>\n")
-	}
-}