cmd/tailscale/cli: [web] update JS in web.html for Unraid support

Signed-off-by: Shayne Sweeney <shayne@tailscale.com>
cmd/tailscale: allow Tailscale to work with Unraid web interface
2023-05-16 20:34:30 -04:00 · 2023-05-06 22:35:02 -04:00
315 changed files with 6557 additions and 21444 deletions
--- a/.github/workflows/docker-file-build.yml
+++ b/.github/workflows/docker-file-build.yml
@@ -1,15 +0,0 @@
-name: "Dockerfile build"
-on: 
-  push:
-    branches:
-    - main
-  pull_request:
-    branches:
-      - "*"
-jobs:
-  deploy:
-    runs-on: ubuntu-latest
-    steps:
-    - uses: actions/checkout@v3
-    - name: "Build Docker image"
-      run: docker build .
--- a/.github/workflows/go-licenses.yml
+++ b/.github/workflows/go-licenses.yml
@@ -50,7 +50,7 @@ jobs:
          private_key: ${{ secrets.LICENSING_APP_PRIVATE_KEY }}

      - name: Send pull request
-        uses: peter-evans/create-pull-request@284f54f989303d2699d373481a0cfa13ad5a6666 #v5.0.1
+        uses: peter-evans/create-pull-request@5b4a9f6a9e2af26e5f02351490b90d01eb8ec1e5 #v5.0.0
        with:
          token: ${{ steps.generate-token.outputs.token }}
          author: License Updater <noreply+license-updater@tailscale.com>
--- a/.github/workflows/golangci-lint.yml
+++ b/.github/workflows/golangci-lint.yml
@@ -32,7 +32,7 @@ jobs:

      - name: golangci-lint
        # Note: this is the 'v3' tag as of 2023-04-17
-        uses: golangci/golangci-lint-action@639cd343e1d3b897ff35927a75193d57cfcba299
+        uses: golangci/golangci-lint-action@08e2f20817b15149a52b5b3ebe7de50aff2ba8c5
        with:
          version: v1.52.2

--- a/.github/workflows/govulncheck.yml
+++ b/.github/workflows/govulncheck.yml
@@ -1,37 +0,0 @@
-name: govulncheck
-
-on:
-  schedule:
-    - cron: "0 12 * * *" # 8am EST / 10am PST / 12pm UTC
-  workflow_dispatch: # allow manual trigger for testing
-  pull_request:
-    paths:
-      - ".github/workflows/govulncheck.yml"
-
-jobs:
-  source-scan:
-    runs-on: ubuntu-latest
-
-    steps:
-      - name: Check out code into the Go module directory
-        uses: actions/checkout@v3
-
-      - name: Install govulncheck
-        run: ./tool/go install golang.org/x/vuln/cmd/govulncheck@latest
-
-      - name: Scan source code for known vulnerabilities
-        run: PATH=$PWD/tool/:$PATH "$(./tool/go env GOPATH)/bin/govulncheck" -test ./...
-
-      - uses: ruby/action-slack@v3.2.1
-        with:
-          payload: >
-            {
-              "attachments": [{
-                "text": "${{ job.status }}: ${{ github.workflow }} <https://github.com/${{ github.repository }}/commit/${{ github.sha }}/checks>
-                        (<https://github.com/${{ github.repository }}/commit/${{ github.sha }}|commit>) of ${{ github.repository }}@${{ github.ref_name }} by ${{ github.event.head_commit.committer.name }}",
-                "color": "danger"
-              }]
-            }
-        env:
-          SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
-        if: failure() && github.event_name == 'schedule'
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -90,11 +90,11 @@ jobs:
    - name: build test wrapper
      run: ./tool/go build -o /tmp/testwrapper ./cmd/testwrapper
    - name: test all
-      run: PATH=$PWD/tool:$PATH /tmp/testwrapper ./... ${{matrix.buildflags}}
+      run: ./tool/go test ${{matrix.buildflags}} -exec=/tmp/testwrapper
      env:
        GOARCH: ${{ matrix.goarch }}
    - name: bench all
-      run: PATH=$PWD/tool:$PATH /tmp/testwrapper ./... ${{matrix.buildflags}} -bench=. -benchtime=1x -run=^$ 
+      run: ./tool/go test ${{matrix.buildflags}} -exec=/tmp/testwrapper -test.bench=. -test.benchtime=1x -test.run=^$
      env:
        GOARCH: ${{ matrix.goarch }}
    - name: check that no tracked files changed
--- a/.github/workflows/update-flake.yml
+++ b/.github/workflows/update-flake.yml
@@ -35,7 +35,7 @@ jobs:
          private_key: ${{ secrets.LICENSING_APP_PRIVATE_KEY }}

      - name: Send pull request
-        uses: peter-evans/create-pull-request@284f54f989303d2699d373481a0cfa13ad5a6666 #v5.0.1
+        uses: peter-evans/create-pull-request@5b4a9f6a9e2af26e5f02351490b90d01eb8ec1e5 #v5.0.0
        with:
          token: ${{ steps.generate-token.outputs.token }}
          author: Flakes Updater <noreply+flakes-updater@tailscale.com>
--- a/5
+++ b/5
@@ -47,7 +47,8 @@ RUN go install \
    golang.org/x/crypto/ssh \
    golang.org/x/crypto/acme \
    nhooyr.io/websocket \
-    github.com/mdlayher/netlink
+    github.com/mdlayher/netlink \
+    golang.zx2c4.com/wireguard/device

 COPY . .

@@ -72,4 +73,4 @@ RUN apk add --no-cache ca-certificates iptables iproute2 ip6tables
 COPY --from=build-env /go/bin/* /usr/local/bin/
 # For compat with the previous run.sh, although ideally you should be
 # using build_docker.sh which sets an entrypoint for the image.
-RUN mkdir /tailscale && ln -s /usr/local/bin/containerboot /tailscale/run.sh
+RUN ln -s /usr/local/bin/containerboot /tailscale/run.sh
--- a/Dockerfile.base
+++ b/Dockerfile.base
@@ -2,4 +2,4 @@
 # SPDX-License-Identifier: BSD-3-Clause

 FROM alpine:3.16
-RUN apk add --no-cache ca-certificates iptables iproute2 ip6tables iputils
+RUN apk add --no-cache ca-certificates iptables iproute2 ip6tables
--- a/5
+++ b/5
@@ -48,10 +48,11 @@ staticcheck: ## Run staticcheck.io checks
 	./tool/go run honnef.co/go/tools/cmd/staticcheck -- $$(./tool/go list ./... | grep -v tempfork)

 spk: ## Build synology package for ${SYNO_ARCH} architecture and ${SYNO_DSM} DSM version
-	./tool/go run ./cmd/dist build synology/dsm${SYNO_DSM}/${SYNO_ARCH}
+	PATH="${PWD}/tool:${PATH}" ./tool/go run github.com/tailscale/tailscale-synology@main -o tailscale.spk --source=. --goarch=${SYNO_ARCH} --dsm-version=${SYNO_DSM}

 spkall: ## Build synology packages for all architectures and DSM versions
-	./tool/go run ./cmd/dist build synology
+	mkdir -p spks
+	PATH="${PWD}/tool:${PATH}" ./tool/go run github.com/tailscale/tailscale-synology@main -o spks --source=. --goarch=all --dsm-version=all

 pushspk: spk ## Push and install synology package on ${SYNO_HOST} host
 	echo "Pushing SPK to root@${SYNO_HOST} (env var SYNO_HOST) ..."
--- a/VERSION.txt
+++ b/VERSION.txt
@@ -1 +1 @@
-1.47.0
+1.41.0
--- a/api.md
+++ b/api.md
@@ -101,8 +101,8 @@ You can also [list all devices in the tailnet](#list-tailnet-devices) to get the
 ``` jsonc
 {
  // addresses (array of strings) is a list of Tailscale IP
-  // addresses for the device, including both IPv4 (formatted as 100.x.y.z)
-  // and IPv6 (formatted as fd7a:115c:a1e0:a:b:c:d:e) addresses.
+  // addresses for the device, including both ipv4 (formatted as 100.x.y.z)
+  // and ipv6 (formatted as fd7a:115c:a1e0:a:b:c:d:e) addresses.
  "addresses": [
    "100.87.74.78",
    "fd7a:115c:a1e0:ac82:4843:ca90:697d:c36e"
@@ -503,8 +503,7 @@ Returns the enabled and advertised subnet routes for a device.
 POST /api/v2/device/{deviceID}/authorized
 ```

-Authorize a device.
-This call marks a device as authorized or revokes its authorization for tailnets where device authorization is required, according to the `authorized` field in the payload.
+Authorize a device. This call marks a device as authorized for tailnets where device authorization is required.

 This returns a successful 2xx response with an empty JSON object in the response body.

@@ -516,8 +515,7 @@ The ID of the device.

 #### `authorized` (required in `POST` body)

-Specify whether the device is authorized. False to deauthorize an authorized device, and true to authorize a new device or to re-authorize a previously deauthorized device.
-
+Specify whether the device is authorized. Only 'true' is currently supported.

 ``` jsonc
 {
@@ -1115,21 +1113,6 @@ Look at the response body to determine whether there was a problem within your A
  }
  ```

-If your tailnet has [user and group provisioning](https://tailscale.com/kb/1180/sso-okta-scim/) turned on, we will also warn you about
-any groups that are used in the policy file that are not being synced from SCIM. Explicitly defined groups will not trigger this warning.
-
-```jsonc
-{
-  "message":"warning(s) found",
-  "data":[
-          {
-            "user": "group:unknown@example.com",
-            "warnings":["group is not syncing from SCIM and will be ignored by rules in the policy file"]
-          }
-        ]
-}
-```
-
 <a href="tailnet-devices"></a>

 ## List tailnet devices
@@ -1238,11 +1221,6 @@ The remaining three methods operate on auth keys and API access tokens.

  // expirySeconds (int) is the duration in seconds a new key is valid.
  "expirySeconds": 86400
-
-  // description (string) is an optional short phrase that describes what
-  // this key is used for. It can be a maximum of 50 alphanumeric characters.
-  // Hyphens and underscores are also allowed.
-  "description": "short description of key purpose"
 }
 ```

@@ -1329,9 +1307,6 @@ Note the following about required vs. optional values:
  Specifies the duration in seconds until the key should expire.
  Defaults to 90 days if not supplied.

- **`description`:** Optional in `POST` body.
-  A short string specifying the purpose of the key. Can be a maximum of 50 alphanumeric characters. Hyphens and spaces are also allowed.
-
 ### Request example

 ``` jsonc
@@ -1349,8 +1324,7 @@ curl "https://api.tailscale.com/api/v2/tailnet/example.com/keys" \
      }
    }
  },
-  "expirySeconds": 86400,
-  "description": "dev access"
+  "expirySeconds": 86400
 }'
 ```

@@ -1376,8 +1350,7 @@ It holds the capabilities specified in the request and can no longer be retrieve
        "tags": [ "tag:example" ]
      }
    }
-  },
-  "description": "dev access"
+  }
 }
 ```

@@ -1429,8 +1402,7 @@ The response is a JSON object with information about the key supplied.
        ]
      }
    }
-  },
-  "description": "dev access"
+  }
 }
 ```

--- a/build_dist.sh
+++ b/build_dist.sh
@@ -49,4 +49,4 @@ while [ "$#" -gt 1 ]; do
 	esac
 done

-exec $go build ${tags:+-tags=$tags} -ldflags "$ldflags" "$@"
+exec ./tool/go build ${tags:+-tags=$tags} -ldflags "$ldflags" "$@"
--- a/client/tailscale/acl.go
+++ b/client/tailscale/acl.go
@@ -150,9 +150,8 @@ func (c *Client) ACLHuJSON(ctx context.Context) (acl *ACLHuJSON, err error) {
 // ACLTestFailureSummary specifies the JSON format sent to the
 // JavaScript client to be rendered in the HTML.
 type ACLTestFailureSummary struct {
-	User     string   `json:"user,omitempty"`
-	Errors   []string `json:"errors,omitempty"`
-	Warnings []string `json:"warnings,omitempty"`
+	User   string   `json:"user"`
+	Errors []string `json:"errors"`
 }

 // ACLTestError is ErrResponse but with an extra field to account for ACLTestFailureSummary.
--- a/client/tailscale/apitype/apitype.go
+++ b/client/tailscale/apitype/apitype.go
@@ -14,9 +14,8 @@ type WhoIsResponse struct {
 	Node        *tailcfg.Node
 	UserProfile *tailcfg.UserProfile

-	// CapMap is a map of capabilities to their values.
-	// See tailcfg.PeerCapMap and tailcfg.PeerCapability for details.
-	CapMap tailcfg.PeerCapMap
+	// Caps are extra capabilities that the remote Node has to this node.
+	Caps []string `json:",omitempty"`
 }

 // FileTarget is a node to which files can be sent, and the PeerAPI
--- a/client/tailscale/devices.go
+++ b/client/tailscale/devices.go
@@ -12,6 +12,7 @@ import (
 	"fmt"
 	"net/http"
 	"net/url"
+	"strings"

 	"tailscale.com/types/opt"
 )
@@ -212,20 +213,8 @@ func (c *Client) DeleteDevice(ctx context.Context, deviceID string) (err error)

 // AuthorizeDevice marks a device as authorized.
 func (c *Client) AuthorizeDevice(ctx context.Context, deviceID string) error {
-	return c.SetAuthorized(ctx, deviceID, true)
-}
-
-// SetAuthorized marks a device as authorized or not.
-func (c *Client) SetAuthorized(ctx context.Context, deviceID string, authorized bool) error {
-	params := &struct {
-		Authorized bool `json:"authorized"`
-	}{Authorized: authorized}
-	data, err := json.Marshal(params)
-	if err != nil {
-		return err
-	}
 	path := fmt.Sprintf("%s/api/v2/device/%s/authorized", c.baseURL(), url.PathEscape(deviceID))
-	req, err := http.NewRequestWithContext(ctx, "POST", path, bytes.NewBuffer(data))
+	req, err := http.NewRequestWithContext(ctx, "POST", path, strings.NewReader(`{"authorized":true}`))
 	if err != nil {
 		return err
 	}
--- a/client/tailscale/keys.go
+++ b/client/tailscale/keys.go
@@ -68,32 +68,12 @@ func (c *Client) Keys(ctx context.Context) ([]string, error) {
 }

 // CreateKey creates a new key for the current user. Currently, only auth keys
-// can be created. It returns the secret key itself, which cannot be retrieved again
+// can be created. Returns the key itself, which cannot be retrieved again
 // later, and the key metadata.
-//
-// To create a key with a specific expiry, use CreateKeyWithExpiry.
-func (c *Client) CreateKey(ctx context.Context, caps KeyCapabilities) (keySecret string, keyMeta *Key, _ error) {
-	return c.CreateKeyWithExpiry(ctx, caps, 0)
-}
-
-// CreateKeyWithExpiry is like CreateKey, but allows specifying a expiration time.
-//
-// The time is truncated to a whole number of seconds. If zero, that means no expiration.
-func (c *Client) CreateKeyWithExpiry(ctx context.Context, caps KeyCapabilities, expiry time.Duration) (keySecret string, keyMeta *Key, _ error) {
-
-	// convert expirySeconds to an int64 (seconds)
-	expirySeconds := int64(expiry.Seconds())
-	if expirySeconds < 0 {
-		return "", nil, fmt.Errorf("expiry must be positive")
-	}
-	if expirySeconds == 0 && expiry != 0 {
-		return "", nil, fmt.Errorf("non-zero expiry must be at least one second")
-	}
-
+func (c *Client) CreateKey(ctx context.Context, caps KeyCapabilities) (string, *Key, error) {
 	keyRequest := struct {
-		Capabilities  KeyCapabilities `json:"capabilities"`
-		ExpirySeconds int64           `json:"expirySeconds,omitempty"`
-	}{caps, int64(expirySeconds)}
+		Capabilities KeyCapabilities `json:"capabilities"`
+	}{caps}
 	bs, err := json.Marshal(keyRequest)
 	if err != nil {
 		return "", nil, err
--- a/client/tailscale/localclient.go
+++ b/client/tailscale/localclient.go
@@ -807,16 +807,11 @@ func (lc *LocalClient) ExpandSNIName(ctx context.Context, name string) (fqdn str
 	return "", false
 }

-// Ping sends a ping of the provided type and size to the provided IP and waits
+// Ping sends a ping of the provided type to the provided IP and waits
 // for its response.
-//
-// For disco pings, the size argument specifies the length of the packet's payload, that
-// is, including the disco headers and message, but not including the IP and UDP headers.
-// If size is smaller than the minimum message size it's ignored.
-func (lc *LocalClient) Ping(ctx context.Context, ip netip.Addr, pingtype tailcfg.PingType, size int) (*ipnstate.PingResult, error) {
+func (lc *LocalClient) Ping(ctx context.Context, ip netip.Addr, pingtype tailcfg.PingType) (*ipnstate.PingResult, error) {
 	v := url.Values{}
 	v.Set("ip", ip.String())
-	v.Set("size", strconv.Itoa(size))
 	v.Set("type", string(pingtype))
 	body, err := lc.send(ctx, "POST", "/localapi/v0/ping?"+v.Encode(), 200, nil)
 	if err != nil {
@@ -951,21 +946,6 @@ func (lc *LocalClient) NetworkLockForceLocalDisable(ctx context.Context) error {
 	return nil
 }

-// NetworkLockVerifySigningDeeplink verifies the network lock deeplink contained
-// in url and returns information extracted from it.
-func (lc *LocalClient) NetworkLockVerifySigningDeeplink(ctx context.Context, url string) (*tka.DeeplinkValidationResult, error) {
-	vr := struct {
-		URL string
-	}{url}
-
-	body, err := lc.send(ctx, "POST", "/localapi/v0/tka/verify-deeplink", 200, jsonBody(vr))
-	if err != nil {
-		return nil, fmt.Errorf("sending verify-deeplink: %w", err)
-	}
-
-	return decodeJSON[*tka.DeeplinkValidationResult](body)
-}
-
 // SetServeConfig sets or replaces the serving settings.
 // If config is nil, settings are cleared and serving is disabled.
 func (lc *LocalClient) SetServeConfig(ctx context.Context, config *ipn.ServeConfig) error {
--- a/cmd/cloner/cloner.go
+++ b/cmd/cloner/cloner.go
@@ -131,8 +131,6 @@ func gen(buf *bytes.Buffer, it *codegen.ImportTracker, typ *types.Named) {
 					} else {
 						writef("\tdst.%s[i] = src.%s[i].Clone()", fname, fname)
 					}
-				} else if ft.Elem().String() == "encoding/json.RawMessage" {
-					writef("\tdst.%s[i] = append(src.%s[i][:0:0], src.%s[i]...)", fname, fname, fname)
 				} else {
 					writef("\tdst.%s[i] = *src.%s[i].Clone()", fname, fname)
 				}
--- a/cmd/derper/depaware.txt
+++ b/cmd/derper/depaware.txt
@@ -12,16 +12,9 @@ tailscale.com/cmd/derper dependencies: (generated by github.com/tailscale/depawa
   W 💣 github.com/alexbrainman/sspi/negotiate                       from tailscale.com/net/tshttpproxy
        github.com/beorn7/perks/quantile                             from github.com/prometheus/client_golang/prometheus
     💣 github.com/cespare/xxhash/v2                                 from github.com/prometheus/client_golang/prometheus
-   L    github.com/coreos/go-iptables/iptables                       from tailscale.com/util/linuxfw
        github.com/fxamacker/cbor/v2                                 from tailscale.com/tka
        github.com/golang/groupcache/lru                             from tailscale.com/net/dnscache
        github.com/golang/protobuf/proto                             from github.com/matttproud/golang_protobuf_extensions/pbutil+
-   L    github.com/google/nftables                                   from tailscale.com/util/linuxfw
-   L 💣 github.com/google/nftables/alignedbuff                       from github.com/google/nftables/xt
-   L 💣 github.com/google/nftables/binaryutil                        from github.com/google/nftables+
-   L    github.com/google/nftables/expr                              from github.com/google/nftables+
-   L    github.com/google/nftables/internal/parseexprfunc            from github.com/google/nftables+
-   L    github.com/google/nftables/xt                                from github.com/google/nftables/expr+
        github.com/hdevalence/ed25519consensus                       from tailscale.com/tka
   L    github.com/josharian/native                                  from github.com/mdlayher/netlink+
   L 💣 github.com/jsimonetti/rtnetlink                              from tailscale.com/net/interfaces+
@@ -30,7 +23,6 @@ tailscale.com/cmd/derper dependencies: (generated by github.com/tailscale/depawa
        github.com/matttproud/golang_protobuf_extensions/pbutil      from github.com/prometheus/common/expfmt
   L 💣 github.com/mdlayher/netlink                                  from github.com/jsimonetti/rtnetlink+
   L 💣 github.com/mdlayher/netlink/nlenc                            from github.com/jsimonetti/rtnetlink+
-   L    github.com/mdlayher/netlink/nltest                           from github.com/google/nftables
   L 💣 github.com/mdlayher/socket                                   from github.com/mdlayher/netlink
     💣 github.com/mitchellh/go-ps                                   from tailscale.com/safesocket
     💣 github.com/prometheus/client_golang/prometheus               from tailscale.com/tsweb/promvarz
@@ -42,9 +34,6 @@ tailscale.com/cmd/derper dependencies: (generated by github.com/tailscale/depawa
  LD    github.com/prometheus/procfs                                 from github.com/prometheus/client_golang/prometheus
  LD    github.com/prometheus/procfs/internal/fs                     from github.com/prometheus/procfs
  LD    github.com/prometheus/procfs/internal/util                   from github.com/prometheus/procfs
-   L 💣 github.com/tailscale/netlink                                 from tailscale.com/util/linuxfw
-   L 💣 github.com/vishvananda/netlink/nl                            from github.com/tailscale/netlink
-   L    github.com/vishvananda/netns                                 from github.com/tailscale/netlink+
        github.com/x448/float16                                      from github.com/fxamacker/cbor/v2
     💣 go4.org/mem                                                  from tailscale.com/client/tailscale+
        go4.org/netipx                                               from tailscale.com/wgengine/filter
@@ -104,7 +93,6 @@ tailscale.com/cmd/derper dependencies: (generated by github.com/tailscale/depawa
        tailscale.com/net/packet                                     from tailscale.com/wgengine/filter
        tailscale.com/net/sockstats                                  from tailscale.com/derp/derphttp
        tailscale.com/net/stun                                       from tailscale.com/cmd/derper
-   L    tailscale.com/net/tcpinfo                                    from tailscale.com/derp
        tailscale.com/net/tlsdial                                    from tailscale.com/derp/derphttp
        tailscale.com/net/tsaddr                                     from tailscale.com/ipn+
     💣 tailscale.com/net/tshttpproxy                                from tailscale.com/derp/derphttp+
@@ -115,7 +103,6 @@ tailscale.com/cmd/derper dependencies: (generated by github.com/tailscale/depawa
        tailscale.com/tailcfg                                        from tailscale.com/client/tailscale+
        tailscale.com/tka                                            from tailscale.com/client/tailscale+
   W    tailscale.com/tsconst                                        from tailscale.com/net/interfaces
-        tailscale.com/tstime                                         from tailscale.com/derp+
     💣 tailscale.com/tstime/mono                                    from tailscale.com/tstime/rate
        tailscale.com/tstime/rate                                    from tailscale.com/wgengine/filter+
        tailscale.com/tsweb                                          from tailscale.com/cmd/derper
@@ -138,14 +125,12 @@ tailscale.com/cmd/derper dependencies: (generated by github.com/tailscale/depawa
   W    tailscale.com/util/clientmetric                              from tailscale.com/net/tshttpproxy
        tailscale.com/util/cloudenv                                  from tailscale.com/hostinfo+
   W    tailscale.com/util/cmpver                                    from tailscale.com/net/tshttpproxy
-        tailscale.com/util/cmpx                                      from tailscale.com/cmd/derper+
   L 💣 tailscale.com/util/dirwalk                                   from tailscale.com/metrics
        tailscale.com/util/dnsname                                   from tailscale.com/hostinfo+
        tailscale.com/util/httpm                                     from tailscale.com/client/tailscale
        tailscale.com/util/lineread                                  from tailscale.com/hostinfo+
-   L    tailscale.com/util/linuxfw                                   from tailscale.com/net/netns
        tailscale.com/util/mak                                       from tailscale.com/syncs+
-        tailscale.com/util/multierr                                  from tailscale.com/health+
+        tailscale.com/util/multierr                                  from tailscale.com/health
        tailscale.com/util/set                                       from tailscale.com/health+
        tailscale.com/util/singleflight                              from tailscale.com/net/dnscache
        tailscale.com/util/slicesx                                   from tailscale.com/cmd/derper+
@@ -169,7 +154,6 @@ tailscale.com/cmd/derper dependencies: (generated by github.com/tailscale/depawa
        golang.org/x/crypto/nacl/secretbox                           from golang.org/x/crypto/nacl/box
        golang.org/x/crypto/salsa20/salsa                            from golang.org/x/crypto/nacl/box+
        golang.org/x/exp/constraints                                 from golang.org/x/exp/slices
-        golang.org/x/exp/maps                                        from tailscale.com/types/views
        golang.org/x/exp/slices                                      from tailscale.com/net/tsaddr+
   L    golang.org/x/net/bpf                                         from github.com/mdlayher/netlink+
        golang.org/x/net/dns/dnsmessage                              from net+
@@ -241,7 +225,6 @@ tailscale.com/cmd/derper dependencies: (generated by github.com/tailscale/depawa
        io/fs                                                        from crypto/x509+
        io/ioutil                                                    from github.com/mitchellh/go-ps+
        log                                                          from expvar+
-        log/internal                                                 from log
        math                                                         from compress/flate+
        math/big                                                     from crypto/dsa+
        math/bits                                                    from compress/flate+
--- a/cmd/derper/derper.go
+++ b/cmd/derper/derper.go
@@ -33,7 +33,6 @@ import (
 	"tailscale.com/net/stun"
 	"tailscale.com/tsweb"
 	"tailscale.com/types/key"
-	"tailscale.com/util/cmpx"
 )

 var (
@@ -182,9 +181,8 @@ func main() {
 	}
 	mux.HandleFunc("/derp/probe", probeHandler)
 	go refreshBootstrapDNSLoop()
-	mux.HandleFunc("/bootstrap-dns", tsweb.BrowserHeaderHandlerFunc(handleBootstrapDNS))
+	mux.HandleFunc("/bootstrap-dns", handleBootstrapDNS)
 	mux.Handle("/", http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		tsweb.AddBrowserHeaders(w)
 		w.Header().Set("Content-Type", "text/html; charset=utf-8")
 		w.WriteHeader(200)
 		io.WriteString(w, `<html><body>
@@ -204,7 +202,6 @@ func main() {
 		}
 	}))
 	mux.Handle("/robots.txt", http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		tsweb.AddBrowserHeaders(w)
 		io.WriteString(w, "User-agent: *\nDisallow: /\n")
 	}))
 	mux.Handle("/generate_204", http.HandlerFunc(serveNoContent))
@@ -279,6 +276,18 @@ func main() {
 				defer tlsActiveVersion.Add(label, -1)
 			}

+			// Set HTTP headers to appease automated security scanners.
+			//
+			// Security automation gets cranky when HTTPS sites don't
+			// set HSTS, and when they don't specify a content
+			// security policy for XSS mitigation.
+			//
+			// DERP's HTTP interface is only ever used for debug
+			// access (for which trivial safe policies work just
+			// fine), and by DERP clients which don't obey any of
+			// these browser-centric headers anyway.
+			w.Header().Set("Strict-Transport-Security", "max-age=63072000; includeSubDomains")
+			w.Header().Set("Content-Security-Policy", "default-src 'none'; frame-ancestors 'none'; form-action 'none'; base-uri 'self'; block-all-mixed-content; plugin-types 'none'")
 			mux.ServeHTTP(w, r)
 		})
 		if *httpPort > -1 {
@@ -427,7 +436,11 @@ func defaultMeshPSKFile() string {
 }

 func rateLimitedListenAndServeTLS(srv *http.Server) error {
-	ln, err := net.Listen("tcp", cmpx.Or(srv.Addr, ":https"))
+	addr := srv.Addr
+	if addr == "" {
+		addr = ":https"
+	}
+	ln, err := net.Listen("tcp", addr)
 	if err != nil {
 		return err
 	}
--- a/cmd/dist/dist.go
+++ b/cmd/dist/dist.go
@@ -13,38 +13,15 @@ import (

 	"tailscale.com/release/dist"
 	"tailscale.com/release/dist/cli"
-	"tailscale.com/release/dist/synology"
 	"tailscale.com/release/dist/unixpkgs"
 )

-var synologyPackageCenter bool
-
 func getTargets() ([]dist.Target, error) {
-	var ret []dist.Target
-
-	ret = append(ret, unixpkgs.Targets()...)
-	// Synology packages can be built either for sideloading, or for
-	// distribution by Synology in their package center. When
-	// distributed through the package center, apps can request
-	// additional permissions to use a tuntap interface and control
-	// the NAS's network stack, rather than be forced to run in
-	// userspace mode.
-	//
-	// Since only we can provide packages to Synology for
-	// distribution, we default to building the "sideload" variant of
-	// packages that we distribute on pkgs.tailscale.com.
-	ret = append(ret, synology.Targets(synologyPackageCenter)...)
-	return ret, nil
+	return unixpkgs.Targets(), nil
 }

 func main() {
 	cmd := cli.CLI(getTargets)
-	for _, subcmd := range cmd.Subcommands {
-		if subcmd.Name == "build" {
-			subcmd.FlagSet.BoolVar(&synologyPackageCenter, "synology-package-center", false, "build synology packages with extra metadata for the official package center")
-		}
-	}
-
 	if err := cmd.ParseAndRun(context.Background(), os.Args[1:]); err != nil && !errors.Is(err, flag.ErrHelp) {
 		log.Fatal(err)
 	}
--- a/cmd/get-authkey/main.go
+++ b/cmd/get-authkey/main.go
@@ -16,7 +16,6 @@ import (

 	"golang.org/x/oauth2/clientcredentials"
 	"tailscale.com/client/tailscale"
-	"tailscale.com/util/cmpx"
 )

 func main() {
@@ -40,7 +39,10 @@ func main() {
 		log.Fatal("at least one tag must be specified")
 	}

-	baseURL := cmpx.Or(os.Getenv("TS_BASE_URL"), "https://api.tailscale.com")
+	baseURL := os.Getenv("TS_BASE_URL")
+	if baseURL == "" {
+		baseURL = "https://api.tailscale.com"
+	}

 	credentials := clientcredentials.Config{
 		ClientID:     clientID,
--- a/cmd/gitops-pusher/gitops-pusher.go
+++ b/cmd/gitops-pusher/gitops-pusher.go
@@ -23,7 +23,6 @@ import (
 	"github.com/peterbourgon/ff/v3/ffcli"
 	"github.com/tailscale/hujson"
 	"golang.org/x/oauth2/clientcredentials"
-	"tailscale.com/client/tailscale"
 	"tailscale.com/util/httpm"
 )

@@ -271,7 +270,7 @@ func applyNewACL(ctx context.Context, client *http.Client, tailnet, apiKey, poli
 	got := resp.StatusCode
 	want := http.StatusOK
 	if got != want {
-		var ate ACLGitopsTestError
+		var ate ACLTestError
 		err := json.NewDecoder(resp.Body).Decode(&ate)
 		if err != nil {
 			return err
@@ -307,7 +306,7 @@ func testNewACLs(ctx context.Context, client *http.Client, tailnet, apiKey, poli
 	}
 	defer resp.Body.Close()

-	var ate ACLGitopsTestError
+	var ate ACLTestError
 	err = json.NewDecoder(resp.Body).Decode(&ate)
 	if err != nil {
 		return err
@@ -328,12 +327,12 @@ func testNewACLs(ctx context.Context, client *http.Client, tailnet, apiKey, poli

 var lineColMessageSplit = regexp.MustCompile(`line ([0-9]+), column ([0-9]+): (.*)$`)

-// ACLGitopsTestError is redefined here so we can add a custom .Error() response
-type ACLGitopsTestError struct {
-	tailscale.ACLTestError
+type ACLTestError struct {
+	Message string               `json:"message"`
+	Data    []ACLTestErrorDetail `json:"data"`
 }

-func (ate ACLGitopsTestError) Error() string {
+func (ate ACLTestError) Error() string {
 	var sb strings.Builder

 	if *githubSyntax && lineColMessageSplit.MatchString(ate.Message) {
@@ -350,28 +349,20 @@ func (ate ACLGitopsTestError) Error() string {
 	fmt.Fprintln(&sb)

 	for _, data := range ate.Data {
-		if data.User != "" {
-			fmt.Fprintf(&sb, "For user %s:\n", data.User)
-		}
-
-		if len(data.Errors) > 0 {
-			fmt.Fprint(&sb, "Errors found:\n")
-			for _, err := range data.Errors {
-				fmt.Fprintf(&sb, "- %s\n", err)
-			}
-		}
-
-		if len(data.Warnings) > 0 {
-			fmt.Fprint(&sb, "Warnings found:\n")
-			for _, err := range data.Warnings {
-				fmt.Fprintf(&sb, "- %s\n", err)
-			}
+		fmt.Fprintf(&sb, "For user %s:\n", data.User)
+		for _, err := range data.Errors {
+			fmt.Fprintf(&sb, "- %s\n", err)
 		}
 	}

 	return sb.String()
 }

+type ACLTestErrorDetail struct {
+	User   string   `json:"user"`
+	Errors []string `json:"errors"`
+}
+
 func getACLETag(ctx context.Context, client *http.Client, tailnet, apiKey string) (string, error) {
 	req, err := http.NewRequestWithContext(ctx, httpm.GET, fmt.Sprintf("https://%s/api/v2/tailnet/%s/acl", *apiServer, tailnet), nil)
 	if err != nil {
--- a/cmd/gitops-pusher/gitops-pusher_test.go
+++ b/cmd/gitops-pusher/gitops-pusher_test.go
@@ -1,55 +0,0 @@
-// Copyright (c) Tailscale Inc & AUTHORS
-// SPDX-License-Identifier: BSD-3-Clause
-package main
-
-import (
-	"encoding/json"
-	"strings"
-	"testing"
-
-	"tailscale.com/client/tailscale"
-)
-
-func TestEmbeddedTypeUnmarshal(t *testing.T) {
-	var gitopsErr ACLGitopsTestError
-	gitopsErr.Message = "gitops response error"
-	gitopsErr.Data = []tailscale.ACLTestFailureSummary{
-		{
-			User:   "GitopsError",
-			Errors: []string{"this was initially created as a gitops error"},
-		},
-	}
-
-	var aclTestErr tailscale.ACLTestError
-	aclTestErr.Message = "native ACL response error"
-	aclTestErr.Data = []tailscale.ACLTestFailureSummary{
-		{
-			User:   "ACLError",
-			Errors: []string{"this was initially created as an ACL error"},
-		},
-	}
-
-	t.Run("unmarshal gitops type from acl type", func(t *testing.T) {
-		b, _ := json.Marshal(aclTestErr)
-		var e ACLGitopsTestError
-		err := json.Unmarshal(b, &e)
-		if err != nil {
-			t.Fatal(err)
-		}
-		if !strings.Contains(e.Error(), "For user ACLError") { // the gitops error prints out the user, the acl error doesn't
-			t.Fatalf("user heading for 'ACLError' not found in gitops error: %v", e.Error())
-		}
-	})
-	t.Run("unmarshal acl type from gitops type", func(t *testing.T) {
-		b, _ := json.Marshal(gitopsErr)
-		var e tailscale.ACLTestError
-		err := json.Unmarshal(b, &e)
-		if err != nil {
-			t.Fatal(err)
-		}
-		expectedErr := `Status: 0, Message: "gitops response error", Data: [{User:GitopsError Errors:[this was initially created as a gitops error] Warnings:[]}]`
-		if e.Error() != expectedErr {
-			t.Fatalf("got %v\n, expected %v", e.Error(), expectedErr)
-		}
-	})
-}
--- a/cmd/k8s-operator/operator.go
+++ b/cmd/k8s-operator/operator.go
@@ -25,6 +25,7 @@ import (
 	apierrors "k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
+	"k8s.io/apimachinery/pkg/fields"
 	"k8s.io/apimachinery/pkg/types"
 	"k8s.io/client-go/transport"
 	"sigs.k8s.io/controller-runtime/pkg/builder"
@@ -37,6 +38,7 @@ import (
 	"sigs.k8s.io/controller-runtime/pkg/manager"
 	"sigs.k8s.io/controller-runtime/pkg/manager/signals"
 	"sigs.k8s.io/controller-runtime/pkg/reconcile"
+	"sigs.k8s.io/controller-runtime/pkg/source"
 	"sigs.k8s.io/yaml"
 	"tailscale.com/client/tailscale"
 	"tailscale.com/hostinfo"
@@ -46,7 +48,6 @@ import (
 	"tailscale.com/types/logger"
 	"tailscale.com/types/opt"
 	"tailscale.com/util/dnsname"
-	"tailscale.com/version"
 )

 func main() {
@@ -63,7 +64,6 @@ func main() {
 		clientIDPath       = defaultEnv("CLIENT_ID_FILE", "")
 		clientSecretPath   = defaultEnv("CLIENT_SECRET_FILE", "")
 		image              = defaultEnv("PROXY_IMAGE", "tailscale/tailscale:latest")
-		priorityClassName  = defaultEnv("PROXY_PRIORITY_CLASS_NAME", "")
 		tags               = defaultEnv("PROXY_TAGS", "tag:k8s")
 		shouldRunAuthProxy = defaultBool("AUTH_PROXY", false)
 	)
@@ -183,33 +183,32 @@ waitOnline:
 	// the cache that sits a few layers below the builder stuff, which will
 	// implicitly filter what parts of the world the builder code gets to see at
 	// all.
-	nsFilter := cache.ByObject{
-		Field: client.InNamespace(tsNamespace).AsSelector(),
+	nsFilter := cache.ObjectSelector{
+		Field: fields.SelectorFromSet(fields.Set{"metadata.namespace": tsNamespace}),
 	}
 	restConfig := config.GetConfigOrDie()
 	mgr, err := manager.New(restConfig, manager.Options{
-		Cache: cache.Options{
-			ByObject: map[client.Object]cache.ByObject{
+		NewCache: cache.BuilderWithOptions(cache.Options{
+			SelectorsByObject: map[client.Object]cache.ObjectSelector{
 				&corev1.Secret{}:      nsFilter,
 				&appsv1.StatefulSet{}: nsFilter,
 			},
-		},
+		}),
 	})
 	if err != nil {
 		startlog.Fatalf("could not create manager: %v", err)
 	}

 	sr := &ServiceReconciler{
-		Client:                 mgr.GetClient(),
-		tsClient:               tsClient,
-		defaultTags:            strings.Split(tags, ","),
-		operatorNamespace:      tsNamespace,
-		proxyImage:             image,
-		proxyPriorityClassName: priorityClassName,
-		logger:                 zlog.Named("service-reconciler"),
+		Client:            mgr.GetClient(),
+		tsClient:          tsClient,
+		defaultTags:       strings.Split(tags, ","),
+		operatorNamespace: tsNamespace,
+		proxyImage:        image,
+		logger:            zlog.Named("service-reconciler"),
 	}

-	reconcileFilter := handler.EnqueueRequestsFromMapFunc(func(_ context.Context, o client.Object) []reconcile.Request {
+	reconcileFilter := handler.EnqueueRequestsFromMapFunc(func(o client.Object) []reconcile.Request {
 		ls := o.GetLabels()
 		if ls[LabelManaged] != "true" {
 			return nil
@@ -229,14 +228,14 @@ waitOnline:
 	err = builder.
 		ControllerManagedBy(mgr).
 		For(&corev1.Service{}).
-		Watches(&appsv1.StatefulSet{}, reconcileFilter).
-		Watches(&corev1.Secret{}, reconcileFilter).
+		Watches(&source.Kind{Type: &appsv1.StatefulSet{}}, reconcileFilter).
+		Watches(&source.Kind{Type: &corev1.Secret{}}, reconcileFilter).
 		Complete(sr)
 	if err != nil {
 		startlog.Fatalf("could not create controller: %v", err)
 	}

-	startlog.Infof("Startup complete, operator running, version: %s", version.Long())
+	startlog.Infof("Startup complete, operator running")
 	if shouldRunAuthProxy {
 		cfg, err := restConfig.TransportConfig()
 		if err != nil {
@@ -279,12 +278,11 @@ const (
 // ServiceReconciler is a simple ControllerManagedBy example implementation.
 type ServiceReconciler struct {
 	client.Client
-	tsClient               tsClient
-	defaultTags            []string
-	operatorNamespace      string
-	proxyImage             string
-	proxyPriorityClassName string
-	logger                 *zap.SugaredLogger
+	tsClient          tsClient
+	defaultTags       []string
+	operatorNamespace string
+	proxyImage        string
+	logger            *zap.SugaredLogger
 }

 type tsClient interface {
@@ -568,9 +566,6 @@ func (a *ServiceReconciler) getDeviceInfo(ctx context.Context, svc *corev1.Servi
 	if err != nil {
 		return "", "", err
 	}
-	if sec == nil {
-		return "", "", nil
-	}
 	id = string(sec.Data["device_id"])
 	if id == "" {
 		return "", "", nil
@@ -594,7 +589,6 @@ func (a *ServiceReconciler) newAuthKey(ctx context.Context, tags []string) (stri
 			},
 		},
 	}
-
 	key, _, err := a.tsClient.CreateKey(ctx, caps)
 	if err != nil {
 		return "", err
@@ -639,7 +633,6 @@ func (a *ServiceReconciler) reconcileSTS(ctx context.Context, logger *zap.Sugare
 	ss.Spec.Template.ObjectMeta.Labels = map[string]string{
 		"app": string(parentSvc.UID),
 	}
-	ss.Spec.Template.Spec.PriorityClassName = a.proxyPriorityClassName
 	logger.Debugf("reconciling statefulset %s/%s", ss.GetNamespace(), ss.GetName())
 	return createOrUpdate(ctx, a.Client, a.operatorNamespace, &ss, func(s *appsv1.StatefulSet) { s.Spec = ss.Spec })
 }
--- a/cmd/k8s-operator/operator_test.go
+++ b/cmd/k8s-operator/operator_test.go
@@ -64,7 +64,7 @@ func TestLoadBalancerClass(t *testing.T) {

 	expectEqual(t, fc, expectedSecret(fullName))
 	expectEqual(t, fc, expectedHeadlessService(shortName))
-	expectEqual(t, fc, expectedSTS(shortName, fullName, "default-test", ""))
+	expectEqual(t, fc, expectedSTS(shortName, fullName, "default-test"))

 	// Normally the Tailscale proxy pod would come up here and write its info
 	// into the secret. Simulate that, then verify reconcile again and verify
@@ -110,8 +110,6 @@ func TestLoadBalancerClass(t *testing.T) {
 	mustUpdate(t, fc, "default", "test", func(s *corev1.Service) {
 		s.Spec.Type = corev1.ServiceTypeClusterIP
 		s.Spec.LoadBalancerClass = nil
-	})
-	mustUpdateStatus(t, fc, "default", "test", func(s *corev1.Service) {
 		// Fake client doesn't automatically delete the LoadBalancer status when
 		// changing away from the LoadBalancer type, we have to do
 		// controller-manager's work by hand.
@@ -187,7 +185,7 @@ func TestAnnotations(t *testing.T) {

 	expectEqual(t, fc, expectedSecret(fullName))
 	expectEqual(t, fc, expectedHeadlessService(shortName))
-	expectEqual(t, fc, expectedSTS(shortName, fullName, "default-test", ""))
+	expectEqual(t, fc, expectedSTS(shortName, fullName, "default-test"))
 	want := &corev1.Service{
 		TypeMeta: metav1.TypeMeta{
 			Kind:       "Service",
@@ -284,7 +282,7 @@ func TestAnnotationIntoLB(t *testing.T) {

 	expectEqual(t, fc, expectedSecret(fullName))
 	expectEqual(t, fc, expectedHeadlessService(shortName))
-	expectEqual(t, fc, expectedSTS(shortName, fullName, "default-test", ""))
+	expectEqual(t, fc, expectedSTS(shortName, fullName, "default-test"))

 	// Normally the Tailscale proxy pod would come up here and write its info
 	// into the secret. Simulate that, since it would have normally happened at
@@ -328,7 +326,7 @@ func TestAnnotationIntoLB(t *testing.T) {
 	expectReconciled(t, sr, "default", "test")
 	// None of the proxy machinery should have changed...
 	expectEqual(t, fc, expectedHeadlessService(shortName))
-	expectEqual(t, fc, expectedSTS(shortName, fullName, "default-test", ""))
+	expectEqual(t, fc, expectedSTS(shortName, fullName, "default-test"))
 	// ... but the service should have a LoadBalancer status.

 	want = &corev1.Service{
@@ -400,7 +398,7 @@ func TestLBIntoAnnotation(t *testing.T) {

 	expectEqual(t, fc, expectedSecret(fullName))
 	expectEqual(t, fc, expectedHeadlessService(shortName))
-	expectEqual(t, fc, expectedSTS(shortName, fullName, "default-test", ""))
+	expectEqual(t, fc, expectedSTS(shortName, fullName, "default-test"))

 	// Normally the Tailscale proxy pod would come up here and write its info
 	// into the secret. Simulate that, then verify reconcile again and verify
@@ -449,8 +447,6 @@ func TestLBIntoAnnotation(t *testing.T) {
 		}
 		s.Spec.Type = corev1.ServiceTypeClusterIP
 		s.Spec.LoadBalancerClass = nil
-	})
-	mustUpdateStatus(t, fc, "default", "test", func(s *corev1.Service) {
 		// Fake client doesn't automatically delete the LoadBalancer status when
 		// changing away from the LoadBalancer type, we have to do
 		// controller-manager's work by hand.
@@ -459,7 +455,7 @@ func TestLBIntoAnnotation(t *testing.T) {
 	expectReconciled(t, sr, "default", "test")

 	expectEqual(t, fc, expectedHeadlessService(shortName))
-	expectEqual(t, fc, expectedSTS(shortName, fullName, "default-test", ""))
+	expectEqual(t, fc, expectedSTS(shortName, fullName, "default-test"))

 	want = &corev1.Service{
 		TypeMeta: metav1.TypeMeta{
@@ -526,7 +522,7 @@ func TestCustomHostname(t *testing.T) {

 	expectEqual(t, fc, expectedSecret(fullName))
 	expectEqual(t, fc, expectedHeadlessService(shortName))
-	expectEqual(t, fc, expectedSTS(shortName, fullName, "reindeer-flotilla", ""))
+	expectEqual(t, fc, expectedSTS(shortName, fullName, "reindeer-flotilla"))
 	want := &corev1.Service{
 		TypeMeta: metav1.TypeMeta{
 			Kind:       "Service",
@@ -585,51 +581,6 @@ func TestCustomHostname(t *testing.T) {
 	expectEqual(t, fc, want)
 }

-func TestCustomPriorityClassName(t *testing.T) {
-	fc := fake.NewFakeClient()
-	ft := &fakeTSClient{}
-	zl, err := zap.NewDevelopment()
-	if err != nil {
-		t.Fatal(err)
-	}
-	sr := &ServiceReconciler{
-		Client:                 fc,
-		tsClient:               ft,
-		defaultTags:            []string{"tag:k8s"},
-		operatorNamespace:      "operator-ns",
-		proxyImage:             "tailscale/tailscale",
-		proxyPriorityClassName: "tailscale-critical",
-		logger:                 zl.Sugar(),
-	}
-
-	// Create a service that we should manage, and check that the initial round
-	// of objects looks right.
-	mustCreate(t, fc, &corev1.Service{
-		ObjectMeta: metav1.ObjectMeta{
-			Name:      "test",
-			Namespace: "default",
-			// The apiserver is supposed to set the UID, but the fake client
-			// doesn't. So, set it explicitly because other code later depends
-			// on it being set.
-			UID: types.UID("1234-UID"),
-			Annotations: map[string]string{
-				"tailscale.com/expose":   "true",
-				"tailscale.com/hostname": "custom-priority-class-name",
-			},
-		},
-		Spec: corev1.ServiceSpec{
-			ClusterIP: "10.20.30.40",
-			Type:      corev1.ServiceTypeClusterIP,
-		},
-	})
-
-	expectReconciled(t, sr, "default", "test")
-
-	fullName, shortName := findGenName(t, fc, "default", "test")
-
-	expectEqual(t, fc, expectedSTS(shortName, fullName, "custom-priority-class-name", "tailscale-critical"))
-}
-
 func expectedSecret(name string) *corev1.Secret {
 	return &corev1.Secret{
 		TypeMeta: metav1.TypeMeta{
@@ -678,7 +629,7 @@ func expectedHeadlessService(name string) *corev1.Service {
 	}
 }

-func expectedSTS(stsName, secretName, hostname, priorityClassName string) *appsv1.StatefulSet {
+func expectedSTS(stsName, secretName, hostname string) *appsv1.StatefulSet {
 	return &appsv1.StatefulSet{
 		TypeMeta: metav1.TypeMeta{
 			Kind:       "StatefulSet",
@@ -707,7 +658,6 @@ func expectedSTS(stsName, secretName, hostname, priorityClassName string) *appsv
 				},
 				Spec: corev1.PodSpec{
 					ServiceAccountName: "proxies",
-					PriorityClassName:  priorityClassName,
 					InitContainers: []corev1.Container{
 						{
 							Name:    "sysctler",
@@ -781,21 +731,6 @@ func mustUpdate[T any, O ptrObject[T]](t *testing.T, client client.Client, ns, n
 	}
 }

-func mustUpdateStatus[T any, O ptrObject[T]](t *testing.T, client client.Client, ns, name string, update func(O)) {
-	t.Helper()
-	obj := O(new(T))
-	if err := client.Get(context.Background(), types.NamespacedName{
-		Name:      name,
-		Namespace: ns,
-	}, obj); err != nil {
-		t.Fatalf("getting %q: %v", name, err)
-	}
-	update(obj)
-	if err := client.Status().Update(context.Background(), obj); err != nil {
-		t.Fatalf("updating %q: %v", name, err)
-	}
-}
-
 func expectEqual[T any, O ptrObject[T]](t *testing.T, client client.Client, want O) {
 	t.Helper()
 	got := O(new(T))
@@ -879,6 +814,7 @@ func (c *fakeTSClient) CreateKey(ctx context.Context, caps tailscale.KeyCapabili
 	k := &tailscale.Key{
 		ID:           "key",
 		Created:      time.Now(),
+		Expires:      time.Now().Add(24 * time.Hour),
 		Capabilities: caps,
 	}
 	return "secret-authkey", k, nil
--- a/cmd/sniproxy/sniproxy.go
+++ b/cmd/sniproxy/sniproxy.go
@@ -26,7 +26,6 @@ import (

 var (
 	ports        = flag.String("ports", "443", "comma-separated list of ports to proxy")
-	wgPort       = flag.Int("wg-listen-port", 0, "UDP port to listen on for WireGuard and peer-to-peer traffic; 0 means automatically select")
 	promoteHTTPS = flag.Bool("promote-https", true, "promote HTTP to HTTPS")
 )

@@ -41,7 +40,6 @@ func main() {
 	hostinfo.SetApp("sniproxy")

 	var s server
-	s.ts.Port = uint16(*wgPort)
 	defer s.ts.Close()

 	lc, err := s.ts.LocalClient()
--- a/cmd/tailscale/cli/cli.go
+++ b/cmd/tailscale/cli/cli.go
@@ -129,12 +129,16 @@ change in the future.
 			certCmd,
 			netlockCmd,
 			licensesCmd,
-			exitNodeCmd,
 		},
 		FlagSet:   rootfs,
 		Exec:      func(context.Context, []string) error { return flag.ErrHelp },
 		UsageFunc: usageFunc,
 	}
+	for _, c := range rootCmd.Subcommands {
+		if c.UsageFunc == nil {
+			c.UsageFunc = usageFunc
+		}
+	}
 	if envknob.UseWIPCode() {
 		rootCmd.Subcommands = append(rootCmd.Subcommands,
 			idTokenCmd,
@@ -152,12 +156,6 @@ change in the future.
 		rootCmd.Subcommands = append(rootCmd.Subcommands, configureHostCmd)
 	}

-	for _, c := range rootCmd.Subcommands {
-		if c.UsageFunc == nil {
-			c.UsageFunc = usageFunc
-		}
-	}
-
 	if err := rootCmd.Parse(args); err != nil {
 		if errors.Is(err, flag.ErrHelp) {
 			return nil
--- a/cmd/tailscale/cli/cli_test.go
+++ b/cmd/tailscale/cli/cli_test.go
@@ -22,7 +22,6 @@ import (
 	"tailscale.com/tstest"
 	"tailscale.com/types/persist"
 	"tailscale.com/types/preftype"
-	"tailscale.com/util/cmpx"
 	"tailscale.com/version/distro"
 )

@@ -720,7 +719,10 @@ func TestPrefsFromUpArgs(t *testing.T) {
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			var warnBuf tstest.MemLogger
-			goos := cmpx.Or(tt.goos, "linux")
+			goos := tt.goos
+			if goos == "" {
+				goos = "linux"
+			}
 			st := tt.st
 			if st == nil {
 				st = new(ipnstate.Status)
--- a/cmd/tailscale/cli/exitnode.go
+++ b/cmd/tailscale/cli/exitnode.go
@@ -1,245 +0,0 @@
-// Copyright (c) Tailscale Inc & AUTHORS
-// SPDX-License-Identifier: BSD-3-Clause
-
-package cli
-
-import (
-	"context"
-	"errors"
-	"flag"
-	"fmt"
-
-	"os"
-	"strings"
-	"text/tabwriter"
-
-	"github.com/peterbourgon/ff/v3/ffcli"
-	"golang.org/x/exp/maps"
-	"golang.org/x/exp/slices"
-	"tailscale.com/ipn/ipnstate"
-	"tailscale.com/tailcfg"
-)
-
-var exitNodeCmd = &ffcli.Command{
-	Name:       "exit-node",
-	ShortUsage: "exit-node [flags]",
-	Subcommands: []*ffcli.Command{
-		{
-			Name:       "list",
-			ShortUsage: "exit-node list [flags]",
-			ShortHelp:  "Show exit nodes",
-			Exec:       runExitNodeList,
-			FlagSet: (func() *flag.FlagSet {
-				fs := newFlagSet("list")
-				fs.StringVar(&exitNodeArgs.filter, "filter", "", "filter exit nodes by country")
-				return fs
-			})(),
-		},
-	},
-	Exec: func(context.Context, []string) error {
-		return errors.New("exit-node subcommand required; run 'tailscale exit-node -h' for details")
-	},
-}
-
-var exitNodeArgs struct {
-	filter string
-}
-
-// runExitNodeList returns a formatted list of exit nodes for a tailnet.
-// If the exit node has location and priority data, only the highest
-// priority node for each city location is shown to the user.
-// If the country location has more than one city, an 'Any' city
-// is returned for the country, which lists the highest priority
-// node in that country.
-// For countries without location data, each exit node is displayed.
-func runExitNodeList(ctx context.Context, args []string) error {
-	if len(args) > 0 {
-		return errors.New("unexpected non-flag arguments to 'tailscale exit-node list'")
-	}
-	getStatus := localClient.Status
-	st, err := getStatus(ctx)
-	if err != nil {
-		return fixTailscaledConnectError(err)
-	}
-
-	var peers []*ipnstate.PeerStatus
-	for _, ps := range st.Peer {
-		if !ps.ExitNodeOption {
-			// We only show location based exit nodes.
-			continue
-		}
-
-		peers = append(peers, ps)
-	}
-
-	if len(peers) == 0 {
-		return errors.New("no exit nodes found")
-	}
-
-	filteredPeers := filterFormatAndSortExitNodes(peers, exitNodeArgs.filter)
-
-	if len(filteredPeers.Countries) == 0 && exitNodeArgs.filter != "" {
-		return fmt.Errorf("no exit nodes found for %q", exitNodeArgs.filter)
-	}
-
-	w := tabwriter.NewWriter(os.Stdout, 10, 5, 5, ' ', 0)
-	defer w.Flush()
-	fmt.Fprintf(w, "\n %s\t%s\t%s\t%s\t%s\t", "IP", "HOSTNAME", "COUNTRY", "CITY", "STATUS")
-	for _, country := range filteredPeers.Countries {
-		for _, city := range country.Cities {
-			for _, peer := range city.Peers {
-
-				fmt.Fprintf(w, "\n %s\t%s\t%s\t%s\t%s\t", peer.TailscaleIPs[0], strings.Trim(peer.DNSName, "."), country.Name, city.Name, peerStatus(peer))
-			}
-		}
-	}
-	fmt.Fprintln(w)
-	fmt.Fprintln(w)
-	fmt.Fprintln(w, "# To use an exit node, use `tailscale set --exit-node=` followed by the hostname or IP")
-
-	return nil
-}
-
-// peerStatus returns a string representing the current state of
-// a peer. If there is no notable state, a - is returned.
-func peerStatus(peer *ipnstate.PeerStatus) string {
-	if !peer.Active {
-		if peer.ExitNode {
-			return "selected but offline"
-		}
-		if !peer.Online {
-			return "offline"
-		}
-	}
-
-	if peer.ExitNode {
-		return "selected"
-	}
-
-	return "-"
-}
-
-type filteredExitNodes struct {
-	Countries []*filteredCountry
-}
-
-type filteredCountry struct {
-	Name   string
-	Cities []*filteredCity
-}
-
-type filteredCity struct {
-	Name  string
-	Peers []*ipnstate.PeerStatus
-}
-
-const noLocationData = "-"
-
-// filterFormatAndSortExitNodes filters and sorts exit nodes into
-// alphabetical order, by country, city and then by priority if
-// present.
-// If an exit node has location data, and the country has more than
-// once city, an `Any` city is added to the country that contains the
-// highest priority exit node within that country.
-// For exit nodes without location data, their country fields are
-// defined as '-' to indicate that the data is not available.
-func filterFormatAndSortExitNodes(peers []*ipnstate.PeerStatus, filterBy string) filteredExitNodes {
-	countries := make(map[string]*filteredCountry)
-	cities := make(map[string]*filteredCity)
-	for _, ps := range peers {
-		if ps.Location == nil {
-			ps.Location = &tailcfg.Location{
-				Country:     noLocationData,
-				CountryCode: noLocationData,
-				City:        noLocationData,
-				CityCode:    noLocationData,
-			}
-		}
-
-		if filterBy != "" && ps.Location.Country != filterBy {
-			continue
-		}
-
-		co, coOK := countries[ps.Location.CountryCode]
-		if !coOK {
-			co = &filteredCountry{
-				Name: ps.Location.Country,
-			}
-			countries[ps.Location.CountryCode] = co
-
-		}
-
-		ci, ciOK := cities[ps.Location.CityCode]
-		if !ciOK {
-			ci = &filteredCity{
-				Name: ps.Location.City,
-			}
-			cities[ps.Location.CityCode] = ci
-			co.Cities = append(co.Cities, ci)
-		}
-		ci.Peers = append(ci.Peers, ps)
-	}
-
-	filteredExitNodes := filteredExitNodes{
-		Countries: maps.Values(countries),
-	}
-
-	for _, country := range filteredExitNodes.Countries {
-		if country.Name == noLocationData {
-			// Countries without location data should not
-			// be filtered further.
-			continue
-		}
-
-		var countryANYPeer []*ipnstate.PeerStatus
-		for _, city := range country.Cities {
-			sortPeersByPriority(city.Peers)
-			countryANYPeer = append(countryANYPeer, city.Peers...)
-			var reducedCityPeers []*ipnstate.PeerStatus
-			for i, peer := range city.Peers {
-				if i == 0 || peer.ExitNode {
-					// We only return the highest priority peer and any peer that
-					// is currently the active exit node.
-					reducedCityPeers = append(reducedCityPeers, peer)
-				}
-			}
-			city.Peers = reducedCityPeers
-		}
-		sortByCityName(country.Cities)
-		sortPeersByPriority(countryANYPeer)
-
-		if len(country.Cities) > 1 {
-			// For countries with more than one city, we want to return the
-			// option of the best peer for that country.
-			country.Cities = append([]*filteredCity{
-				{
-					Name:  "Any",
-					Peers: []*ipnstate.PeerStatus{countryANYPeer[0]},
-				},
-			}, country.Cities...)
-		}
-	}
-	sortByCountryName(filteredExitNodes.Countries)
-
-	return filteredExitNodes
-}
-
-// sortPeersByPriority sorts a slice of PeerStatus
-// by location.Priority, in order of highest priority.
-func sortPeersByPriority(peers []*ipnstate.PeerStatus) {
-	slices.SortFunc(peers, func(a, b *ipnstate.PeerStatus) bool { return a.Location.Priority > b.Location.Priority })
-}
-
-// sortByCityName sorts a slice of filteredCity alphabetically
-// by name. The '-' used to indicate no location data will always
-// be sorted to the front of the slice.
-func sortByCityName(cities []*filteredCity) {
-	slices.SortFunc(cities, func(a, b *filteredCity) bool { return a.Name < b.Name })
-}
-
-// sortByCountryName sorts a slice of filteredCountry alphabetically
-// by name. The '-' used to indicate no location data will always
-// be sorted to the front of the slice.
-func sortByCountryName(countries []*filteredCountry) {
-	slices.SortFunc(countries, func(a, b *filteredCountry) bool { return a.Name < b.Name })
-}
--- a/cmd/tailscale/cli/exitnode_test.go
+++ b/cmd/tailscale/cli/exitnode_test.go
@@ -1,308 +0,0 @@
-// Copyright (c) Tailscale Inc & AUTHORS
-// SPDX-License-Identifier: BSD-3-Clause
-
-package cli
-
-import (
-	"testing"
-
-	"github.com/google/go-cmp/cmp"
-	"github.com/google/go-cmp/cmp/cmpopts"
-	"tailscale.com/ipn/ipnstate"
-	"tailscale.com/tailcfg"
-	"tailscale.com/types/key"
-)
-
-func TestFilterFormatAndSortExitNodes(t *testing.T) {
-	t.Run("without filter", func(t *testing.T) {
-		ps := []*ipnstate.PeerStatus{
-			{
-				HostName: "everest-1",
-				Location: &tailcfg.Location{
-					Country:     "Everest",
-					CountryCode: "evr",
-					City:        "Hillary",
-					CityCode:    "hil",
-					Priority:    100,
-				},
-			},
-			{
-				HostName: "lhotse-1",
-				Location: &tailcfg.Location{
-					Country:     "Lhotse",
-					CountryCode: "lho",
-					City:        "Fritz",
-					CityCode:    "fri",
-					Priority:    200,
-				},
-			},
-			{
-				HostName: "lhotse-2",
-				Location: &tailcfg.Location{
-					Country:     "Lhotse",
-					CountryCode: "lho",
-					City:        "Fritz",
-					CityCode:    "fri",
-					Priority:    100,
-				},
-			},
-			{
-				HostName: "nuptse-1",
-				Location: &tailcfg.Location{
-					Country:     "Nuptse",
-					CountryCode: "nup",
-					City:        "Walmsley",
-					CityCode:    "wal",
-					Priority:    200,
-				},
-			},
-			{
-				HostName: "nuptse-2",
-				Location: &tailcfg.Location{
-					Country:     "Nuptse",
-					CountryCode: "nup",
-					City:        "Bonington",
-					CityCode:    "bon",
-					Priority:    10,
-				},
-			},
-			{
-				HostName: "Makalu",
-			},
-		}
-
-		want := filteredExitNodes{
-			Countries: []*filteredCountry{
-				{
-					Name: noLocationData,
-					Cities: []*filteredCity{
-						{
-							Name: noLocationData,
-							Peers: []*ipnstate.PeerStatus{
-								ps[5],
-							},
-						},
-					},
-				},
-				{
-					Name: "Everest",
-					Cities: []*filteredCity{
-						{
-							Name: "Hillary",
-							Peers: []*ipnstate.PeerStatus{
-								ps[0],
-							},
-						},
-					},
-				},
-				{
-					Name: "Lhotse",
-					Cities: []*filteredCity{
-						{
-							Name: "Fritz",
-							Peers: []*ipnstate.PeerStatus{
-								ps[1],
-							},
-						},
-					},
-				},
-				{
-					Name: "Nuptse",
-					Cities: []*filteredCity{
-						{
-							Name: "Any",
-							Peers: []*ipnstate.PeerStatus{
-								ps[3],
-							},
-						},
-						{
-							Name: "Bonington",
-							Peers: []*ipnstate.PeerStatus{
-								ps[4],
-							},
-						},
-						{
-							Name: "Walmsley",
-							Peers: []*ipnstate.PeerStatus{
-								ps[3],
-							},
-						},
-					},
-				},
-			},
-		}
-
-		result := filterFormatAndSortExitNodes(ps, "")
-
-		if res := cmp.Diff(result.Countries, want.Countries, cmpopts.IgnoreUnexported(key.NodePublic{})); res != "" {
-			t.Fatalf(res)
-		}
-	})
-
-	t.Run("with country filter", func(t *testing.T) {
-		ps := []*ipnstate.PeerStatus{
-			{
-				HostName: "baker-1",
-				Location: &tailcfg.Location{
-					Country:     "Pacific",
-					CountryCode: "pst",
-					City:        "Baker",
-					CityCode:    "col",
-					Priority:    100,
-				},
-			},
-			{
-				HostName: "hood-1",
-				Location: &tailcfg.Location{
-					Country:     "Pacific",
-					CountryCode: "pst",
-					City:        "Hood",
-					CityCode:    "hoo",
-					Priority:    500,
-				},
-			},
-			{
-				HostName: "rainier-1",
-				Location: &tailcfg.Location{
-					Country:     "Pacific",
-					CountryCode: "pst",
-					City:        "Rainier",
-					CityCode:    "rai",
-					Priority:    100,
-				},
-			},
-			{
-				HostName: "rainier-2",
-				Location: &tailcfg.Location{
-					Country:     "Pacific",
-					CountryCode: "pst",
-					City:        "Rainier",
-					CityCode:    "rai",
-					Priority:    10,
-				},
-			},
-			{
-				HostName: "mitchell-1",
-				Location: &tailcfg.Location{
-					Country:     "Atlantic",
-					CountryCode: "atl",
-					City:        "Mitchell",
-					CityCode:    "mit",
-					Priority:    200,
-				},
-			},
-		}
-
-		want := filteredExitNodes{
-			Countries: []*filteredCountry{
-				{
-					Name: "Pacific",
-					Cities: []*filteredCity{
-						{
-							Name: "Any",
-							Peers: []*ipnstate.PeerStatus{
-								ps[1],
-							},
-						},
-						{
-							Name: "Baker",
-							Peers: []*ipnstate.PeerStatus{
-								ps[0],
-							},
-						},
-						{
-							Name: "Hood",
-							Peers: []*ipnstate.PeerStatus{
-								ps[1],
-							},
-						},
-						{
-							Name: "Rainier",
-							Peers: []*ipnstate.PeerStatus{
-								ps[2],
-							},
-						},
-					},
-				},
-			},
-		}
-
-		result := filterFormatAndSortExitNodes(ps, "Pacific")
-
-		if res := cmp.Diff(result.Countries, want.Countries, cmpopts.IgnoreUnexported(key.NodePublic{})); res != "" {
-			t.Fatalf(res)
-		}
-	})
-}
-
-func TestSortPeersByPriority(t *testing.T) {
-	ps := []*ipnstate.PeerStatus{
-		{
-			Location: &tailcfg.Location{
-				Priority: 100,
-			},
-		},
-		{
-			Location: &tailcfg.Location{
-				Priority: 200,
-			},
-		},
-		{
-			Location: &tailcfg.Location{
-				Priority: 300,
-			},
-		},
-	}
-
-	sortPeersByPriority(ps)
-
-	if ps[0].Location.Priority != 300 {
-		t.Fatalf("sortPeersByPriority did not order PeerStatus with highest priority as index 0, got %v, want %v", ps[0].Location.Priority, 300)
-	}
-}
-
-func TestSortByCountryName(t *testing.T) {
-	fc := []*filteredCountry{
-		{
-			Name: "Albania",
-		},
-		{
-			Name: "Sweden",
-		},
-		{
-			Name: "Zimbabwe",
-		},
-		{
-			Name: noLocationData,
-		},
-	}
-
-	sortByCountryName(fc)
-
-	if fc[0].Name != noLocationData {
-		t.Fatalf("sortByCountryName did not order countries by alphabetical order, got %v, want %v", fc[0].Name, noLocationData)
-	}
-}
-
-func TestSortByCityName(t *testing.T) {
-	fc := []*filteredCity{
-		{
-			Name: "Kingston",
-		},
-		{
-			Name: "Goteborg",
-		},
-		{
-			Name: "Squamish",
-		},
-		{
-			Name: noLocationData,
-		},
-	}
-
-	sortByCityName(fc)
-
-	if fc[0].Name != noLocationData {
-		t.Fatalf("sortByCityName did not order cities by alphabetical order, got %v, want %v", fc[0].Name, noLocationData)
-	}
-}
--- a/cmd/tailscale/cli/funnel.go
+++ b/cmd/tailscale/cli/funnel.go
@@ -30,10 +30,10 @@ func newFunnelCommand(e *serveEnv) *ffcli.Command {
 	return &ffcli.Command{
 		Name:      "funnel",
 		ShortHelp: "Turn on/off Funnel service",
-		ShortUsage: strings.Join([]string{
-			"funnel <serve-port> {on|off}",
-			"funnel status [--json]",
-		}, "\n  "),
+		ShortUsage: strings.TrimSpace(`
+funnel <serve-port> {on|off}
+  funnel status [--json]
+`),
 		LongHelp: strings.Join([]string{
 			"Funnel allows you to publish a 'tailscale serve'",
 			"server publicly, open to the entire internet.",
--- a/cmd/tailscale/cli/network-lock.go
+++ b/cmd/tailscale/cli/network-lock.go
@@ -465,16 +465,7 @@ func runNetworkLockSign(ctx context.Context, args []string) error {
 		}
 	}

-	err := localClient.NetworkLockSign(ctx, nodeKey, []byte(rotationKey.Verifier()))
-	// Provide a better help message for when someone clicks through the signing flow
-	// on the wrong device.
-	if err != nil && strings.Contains(err.Error(), "this node is not trusted by network lock") {
-		fmt.Fprintln(os.Stderr, "Error: Signing is not available on this device because it does not have a trusted tailnet lock key.")
-		fmt.Fprintln(os.Stderr)
-		fmt.Fprintln(os.Stderr, "Try again on a signing device instead. Tailnet admins can see signing devices on the admin panel.")
-		fmt.Fprintln(os.Stderr)
-	}
-	return err
+	return localClient.NetworkLockSign(ctx, nodeKey, []byte(rotationKey.Verifier()))
 }

 var nlDisableCmd = &ffcli.Command{
--- a/cmd/tailscale/cli/ping.go
+++ b/cmd/tailscale/cli/ping.go
@@ -51,16 +51,14 @@ relay node.
 		fs.BoolVar(&pingArgs.tsmp, "tsmp", false, "do a TSMP-level ping (through WireGuard, but not either host OS stack)")
 		fs.BoolVar(&pingArgs.icmp, "icmp", false, "do a ICMP-level ping (through WireGuard, but not the local host OS stack)")
 		fs.BoolVar(&pingArgs.peerAPI, "peerapi", false, "try hitting the peer's peerapi HTTP server")
-		fs.IntVar(&pingArgs.num, "c", 10, "max number of pings to send. 0 for infinity.")
+		fs.IntVar(&pingArgs.num, "c", 10, "max number of pings to send")
 		fs.DurationVar(&pingArgs.timeout, "timeout", 5*time.Second, "timeout before giving up on a ping")
-		fs.IntVar(&pingArgs.size, "size", 0, "send a packet with this many bytes in the payload (disco pings only). 0 for minimum size.")
 		return fs
 	})(),
 }

 var pingArgs struct {
 	num         int
-	size        int
 	untilDirect bool
 	verbose     bool
 	tsmp        bool
@@ -117,7 +115,7 @@ func runPing(ctx context.Context, args []string) error {
 	for {
 		n++
 		ctx, cancel := context.WithTimeout(ctx, pingArgs.timeout)
-		pr, err := localClient.Ping(ctx, netip.MustParseAddr(ip), pingType(), pingArgs.size)
+		pr, err := localClient.Ping(ctx, netip.MustParseAddr(ip), pingType())
 		cancel()
 		if err != nil {
 			if errors.Is(err, context.DeadlineExceeded) {
@@ -158,9 +156,6 @@ func runPing(ctx context.Context, args []string) error {
 		if pr.PeerAPIPort != 0 {
 			extra = fmt.Sprintf(", %d", pr.PeerAPIPort)
 		}
-		if pr.Size != 0 {
-			extra = fmt.Sprintf(", %d bytes", pr.Size)
-		}
 		printf("pong from %s (%s%s) via %v in %v\n", pr.NodeName, pr.NodeIP, extra, via, latency)
 		if pingArgs.tsmp || pingArgs.icmp {
 			return nil
--- a/cmd/tailscale/cli/serve.go
+++ b/cmd/tailscale/cli/serve.go
@@ -35,14 +35,12 @@ func newServeCommand(e *serveEnv) *ffcli.Command {
 	return &ffcli.Command{
 		Name:      "serve",
 		ShortHelp: "Serve content and local servers",
-		ShortUsage: strings.Join([]string{
-			"serve http:<port> <mount-point> <source> [off]",
-			"serve https:<port> <mount-point> <source> [off]",
-			"serve tcp:<port> tcp://localhost:<local-port> [off]",
-			"serve tls-terminated-tcp:<port> tcp://localhost:<local-port> [off]",
-			"serve status [--json]",
-			"serve reset",
-		}, "\n  "),
+		ShortUsage: strings.TrimSpace(`
+serve https:<port> <mount-point> <source> [off]
+  serve tcp:<port> tcp://localhost:<local-port> [off]
+  serve tls-terminated-tcp:<port> tcp://localhost:<local-port> [off]
+  serve status [--json]
+`),
 		LongHelp: strings.TrimSpace(`
 *** BETA; all of this is subject to change ***

@@ -59,8 +57,8 @@ EXAMPLES
  - To proxy requests to a web server at 127.0.0.1:3000:
    $ tailscale serve https:443 / http://127.0.0.1:3000

-    Or, using the default port (443):
-    $ tailscale serve https / http://127.0.0.1:3000
+	Or, using the default port:
+	$ tailscale serve https / http://127.0.0.1:3000

  - To serve a single file or a directory of files:
    $ tailscale serve https / /home/alice/blog/index.html
@@ -69,12 +67,6 @@ EXAMPLES
  - To serve simple static text:
    $ tailscale serve https:8080 / text:"Hello, world!"

-  - To serve over HTTP (tailnet only):
-    $ tailscale serve http:80 / http://127.0.0.1:3000
-
-    Or, using the default port (80):
-    $ tailscale serve http / http://127.0.0.1:3000
-
  - To forward incoming TCP connections on port 2222 to a local TCP server on
    port 22 (e.g. to run OpenSSH in parallel with Tailscale SSH):
    $ tailscale serve tcp:2222 tcp://localhost:22
@@ -95,13 +87,6 @@ EXAMPLES
 				}),
 				UsageFunc: usageFunc,
 			},
-			{
-				Name:      "reset",
-				Exec:      e.runServeReset,
-				ShortHelp: "reset current serve/funnel config",
-				FlagSet:   e.newFlags("serve-reset", nil),
-				UsageFunc: usageFunc,
-			},
 		},
 	}
 }
@@ -182,7 +167,6 @@ func (e *serveEnv) getLocalClientStatus(ctx context.Context) (*ipnstate.Status,
 // serve config types like proxy, path, and text.
 //
 // Examples:
-// - tailscale serve http / http://localhost:3000
 // - tailscale serve https / http://localhost:3000
 // - tailscale serve https /images/ /var/www/images/
 // - tailscale serve https:10000 /motd.txt text:"Hello, world!"
@@ -207,14 +191,19 @@ func (e *serveEnv) runServe(ctx context.Context, args []string) error {
 		return e.lc.SetServeConfig(ctx, sc)
 	}

+	parsePort := func(portStr string) (uint16, error) {
+		port64, err := strconv.ParseUint(portStr, 10, 16)
+		if err != nil {
+			return 0, err
+		}
+		return uint16(port64), nil
+	}
+
 	srcType, srcPortStr, found := strings.Cut(args[0], ":")
 	if !found {
 		if srcType == "https" && srcPortStr == "" {
 			// Default https port to 443.
 			srcPortStr = "443"
-		} else if srcType == "http" && srcPortStr == "" {
-			// Default http port to 80.
-			srcPortStr = "80"
 		} else {
 			return flag.ErrHelp
 		}
@@ -222,18 +211,18 @@ func (e *serveEnv) runServe(ctx context.Context, args []string) error {

 	turnOff := "off" == args[len(args)-1]

-	if len(args) < 2 || ((srcType == "https" || srcType == "http") && !turnOff && len(args) < 3) {
+	if len(args) < 2 || (srcType == "https" && !turnOff && len(args) < 3) {
 		fmt.Fprintf(os.Stderr, "error: invalid number of arguments\n\n")
 		return flag.ErrHelp
 	}

-	srcPort, err := parseServePort(srcPortStr)
+	srcPort, err := parsePort(srcPortStr)
 	if err != nil {
-		return fmt.Errorf("invalid port %q: %w", srcPortStr, err)
+		return err
 	}

 	switch srcType {
-	case "https", "http":
+	case "https":
 		mount, err := cleanMountPoint(args[1])
 		if err != nil {
 			return err
@@ -241,8 +230,7 @@ func (e *serveEnv) runServe(ctx context.Context, args []string) error {
 		if turnOff {
 			return e.handleWebServeRemove(ctx, srcPort, mount)
 		}
-		useTLS := srcType == "https"
-		return e.handleWebServe(ctx, srcPort, useTLS, mount, args[2])
+		return e.handleWebServe(ctx, srcPort, mount, args[2])
 	case "tcp", "tls-terminated-tcp":
 		if turnOff {
 			return e.handleTCPServeRemove(ctx, srcPort)
@@ -250,20 +238,20 @@ func (e *serveEnv) runServe(ctx context.Context, args []string) error {
 		return e.handleTCPServe(ctx, srcType, srcPort, args[1])
 	default:
 		fmt.Fprintf(os.Stderr, "error: invalid serve type %q\n", srcType)
-		fmt.Fprint(os.Stderr, "must be one of: http:<port>, https:<port>, tcp:<port> or tls-terminated-tcp:<port>\n\n", srcType)
+		fmt.Fprint(os.Stderr, "must be one of: https:<port>, tcp:<port> or tls-terminated-tcp:<port>\n\n", srcType)
 		return flag.ErrHelp
 	}
 }

-// handleWebServe handles the "tailscale serve (http/https):..." subcommand. It
-// configures the serve config to forward HTTPS connections to the given source.
+// handleWebServe handles the "tailscale serve https:..." subcommand.
+// It configures the serve config to forward HTTPS connections to the
+// given source.
 //
 // Examples:
-//   - tailscale serve http / http://localhost:3000
 //   - tailscale serve https / http://localhost:3000
 //   - tailscale serve https:8443 /files/ /home/alice/shared-files/
 //   - tailscale serve https:10000 /motd.txt text:"Hello, world!"
-func (e *serveEnv) handleWebServe(ctx context.Context, srvPort uint16, useTLS bool, mount, source string) error {
+func (e *serveEnv) handleWebServe(ctx context.Context, srvPort uint16, mount, source string) error {
 	h := new(ipn.HTTPHandler)

 	ts, _, _ := strings.Cut(source, ":")
@@ -322,7 +310,7 @@ func (e *serveEnv) handleWebServe(ctx context.Context, srvPort uint16, useTLS bo
 		return flag.ErrHelp
 	}

-	mak.Set(&sc.TCP, srvPort, &ipn.TCPPortHandler{HTTPS: useTLS, HTTP: !useTLS})
+	mak.Set(&sc.TCP, srvPort, &ipn.TCPPortHandler{HTTPS: true})

 	if _, ok := sc.Web[hp]; !ok {
 		mak.Set(&sc.Web, hp, new(ipn.WebServerConfig))
@@ -630,10 +618,7 @@ func (e *serveEnv) runServeStatus(ctx context.Context, args []string) error {
 		printf("\n")
 	}
 	for hp := range sc.Web {
-		err := e.printWebStatusTree(sc, hp)
-		if err != nil {
-			return err
-		}
+		printWebStatusTree(sc, hp)
 		printf("\n")
 	}
 	printFunnelWarning(sc)
@@ -672,37 +657,20 @@ func printTCPStatusTree(ctx context.Context, sc *ipn.ServeConfig, st *ipnstate.S
 	return nil
 }

-func (e *serveEnv) printWebStatusTree(sc *ipn.ServeConfig, hp ipn.HostPort) error {
-	// No-op if no serve config
+func printWebStatusTree(sc *ipn.ServeConfig, hp ipn.HostPort) {
 	if sc == nil {
-		return nil
+		return
 	}
 	fStatus := "tailnet only"
 	if sc.AllowFunnel[hp] {
 		fStatus = "Funnel on"
 	}
 	host, portStr, _ := net.SplitHostPort(string(hp))
-
-	port, err := parseServePort(portStr)
-	if err != nil {
-		return fmt.Errorf("invalid port %q: %w", portStr, err)
+	if portStr == "443" {
+		printf("https://%s (%s)\n", host, fStatus)
+	} else {
+		printf("https://%s:%s (%s)\n", host, portStr, fStatus)
 	}
-
-	scheme := "https"
-	if sc.IsServingHTTP(port) {
-		scheme = "http"
-	}
-
-	portPart := ":" + portStr
-	if scheme == "http" && portStr == "80" ||
-		scheme == "https" && portStr == "443" {
-		portPart = ""
-	}
-	if scheme == "http" {
-		hostname, _, _ := strings.Cut(host, ".")
-		printf("%s://%s%s (%s)\n", scheme, hostname, portPart, fStatus)
-	}
-	printf("%s://%s%s (%s)\n", scheme, host, portPart, fStatus)
 	srvTypeAndDesc := func(h *ipn.HTTPHandler) (string, string) {
 		switch {
 		case h.Path != "":
@@ -729,8 +697,6 @@ func (e *serveEnv) printWebStatusTree(sc *ipn.ServeConfig, hp ipn.HostPort) erro
 		t, d := srvTypeAndDesc(h)
 		printf("%s %s%s %-5s %s\n", "|--", m, strings.Repeat(" ", maxLen-len(m)), t, d)
 	}
-
-	return nil
 }

 func elipticallyTruncate(s string, max int) string {
@@ -739,28 +705,3 @@ func elipticallyTruncate(s string, max int) string {
 	}
 	return s[:max-3] + "..."
 }
-
-// runServeReset clears out the current serve config.
-//
-// Usage:
-//   - tailscale serve reset
-func (e *serveEnv) runServeReset(ctx context.Context, args []string) error {
-	if len(args) != 0 {
-		return flag.ErrHelp
-	}
-	sc := new(ipn.ServeConfig)
-	return e.lc.SetServeConfig(ctx, sc)
-}
-
-// parseServePort parses a port number from a string and returns it as a
-// uint16. It returns an error if the port number is invalid or zero.
-func parseServePort(s string) (uint16, error) {
-	p, err := strconv.ParseUint(s, 10, 16)
-	if err != nil {
-		return 0, err
-	}
-	if p == 0 {
-		return 0, errors.New("port number must be non-zero")
-	}
-	return uint16(p), nil
-}
--- a/cmd/tailscale/cli/serve_test.go
+++ b/cmd/tailscale/cli/serve_test.go
@@ -89,59 +89,6 @@ func TestServeConfigMutations(t *testing.T) {
 		wantErr: exactErr(flag.ErrHelp, "flag.ErrHelp"),
 	})

-	// https
-	add(step{reset: true})
-	add(step{ // allow omitting port (default to 80)
-		command: cmd("http / http://localhost:3000"),
-		want: &ipn.ServeConfig{
-			TCP: map[uint16]*ipn.TCPPortHandler{80: {HTTP: true}},
-			Web: map[ipn.HostPort]*ipn.WebServerConfig{
-				"foo.test.ts.net:80": {Handlers: map[string]*ipn.HTTPHandler{
-					"/": {Proxy: "http://127.0.0.1:3000"},
-				}},
-			},
-		},
-	})
-	add(step{ // support non Funnel port
-		command: cmd("http:9999 /abc http://localhost:3001"),
-		want: &ipn.ServeConfig{
-			TCP: map[uint16]*ipn.TCPPortHandler{80: {HTTP: true}, 9999: {HTTP: true}},
-			Web: map[ipn.HostPort]*ipn.WebServerConfig{
-				"foo.test.ts.net:80": {Handlers: map[string]*ipn.HTTPHandler{
-					"/": {Proxy: "http://127.0.0.1:3000"},
-				}},
-				"foo.test.ts.net:9999": {Handlers: map[string]*ipn.HTTPHandler{
-					"/abc": {Proxy: "http://127.0.0.1:3001"},
-				}},
-			},
-		},
-	})
-	add(step{
-		command: cmd("http:9999 /abc off"),
-		want: &ipn.ServeConfig{
-			TCP: map[uint16]*ipn.TCPPortHandler{80: {HTTP: true}},
-			Web: map[ipn.HostPort]*ipn.WebServerConfig{
-				"foo.test.ts.net:80": {Handlers: map[string]*ipn.HTTPHandler{
-					"/": {Proxy: "http://127.0.0.1:3000"},
-				}},
-			},
-		},
-	})
-	add(step{
-		command: cmd("http:8080 /abc http://127.0.0.1:3001"),
-		want: &ipn.ServeConfig{
-			TCP: map[uint16]*ipn.TCPPortHandler{80: {HTTP: true}, 8080: {HTTP: true}},
-			Web: map[ipn.HostPort]*ipn.WebServerConfig{
-				"foo.test.ts.net:80": {Handlers: map[string]*ipn.HTTPHandler{
-					"/": {Proxy: "http://127.0.0.1:3000"},
-				}},
-				"foo.test.ts.net:8080": {Handlers: map[string]*ipn.HTTPHandler{
-					"/abc": {Proxy: "http://127.0.0.1:3001"},
-				}},
-			},
-		},
-	})
-
 	// https
 	add(step{reset: true})
 	add(step{
@@ -277,10 +224,7 @@ func TestServeConfigMutations(t *testing.T) {
 		command: cmd("https:443 bar https://127.0.0.1:8443"),
 		want:    nil, // nothing to save
 	})
-	add(step{ // try resetting using reset command
-		command: cmd("reset"),
-		want:    &ipn.ServeConfig{},
-	})
+	add(step{reset: true})
 	add(step{
 		command: cmd("https:443 / https+insecure://127.0.0.1:3001"),
 		want: &ipn.ServeConfig{
--- a/cmd/tailscale/cli/status.go
+++ b/cmd/tailscale/cli/status.go
@@ -200,8 +200,6 @@ func runStatus(ctx context.Context, args []string) error {
 	if statusArgs.self && st.Self != nil {
 		printPS(st.Self)
 	}
-
-	locBasedExitNode := false
 	if statusArgs.peers {
 		var peers []*ipnstate.PeerStatus
 		for _, peer := range st.Peers() {
@@ -209,12 +207,6 @@ func runStatus(ctx context.Context, args []string) error {
 			if ps.ShareeNode {
 				continue
 			}
-			if ps.Location != nil && ps.ExitNodeOption && !ps.ExitNode {
-				// Location based exit nodes are only shown with the
-				// `exit-node list` command.
-				locBasedExitNode = true
-				continue
-			}
 			peers = append(peers, ps)
 		}
 		ipnstate.SortPeers(peers)
@@ -226,10 +218,6 @@ func runStatus(ctx context.Context, args []string) error {
 		}
 	}
 	Stdout.Write(buf.Bytes())
-	if locBasedExitNode {
-		println()
-		println("# To see the full list of exit nodes, including location-based exit nodes, run `tailscale exit-node list`  \n")
-	}
 	if len(st.Health) > 0 {
 		outln()
 		printHealth()
--- a/cmd/tailscale/cli/up.go
+++ b/cmd/tailscale/cli/up.go
@@ -30,6 +30,7 @@ import (
 	qrcode "github.com/skip2/go-qrcode"
 	"golang.org/x/oauth2/clientcredentials"
 	"tailscale.com/client/tailscale"
+	"tailscale.com/envknob"
 	"tailscale.com/health/healthmsg"
 	"tailscale.com/ipn"
 	"tailscale.com/ipn/ipnstate"
@@ -725,8 +726,7 @@ func runUp(ctx context.Context, cmd string, args []string, upArgs upArgsT) (retE
 // the health check, rather than just a string.
 func upWorthyWarning(s string) bool {
 	return strings.Contains(s, healthmsg.TailscaleSSHOnBut) ||
-		strings.Contains(s, healthmsg.WarnAcceptRoutesOff) ||
-		strings.Contains(s, healthmsg.LockedOut)
+		strings.Contains(s, healthmsg.WarnAcceptRoutesOff)
 }

 func checkUpWarnings(ctx context.Context) {
@@ -1132,6 +1132,9 @@ func resolveAuthKey(ctx context.Context, v, tags string) (string, error) {
 	if !strings.HasPrefix(v, "tskey-client-") {
 		return v, nil
 	}
+	if !envknob.Bool("TS_EXPERIMENT_OAUTH_AUTHKEY") {
+		return "", errors.New("oauth authkeys are in experimental status")
+	}
 	if tags == "" {
 		return "", errors.New("oauth authkeys require --advertise-tags")
 	}
--- a/cmd/tailscale/cli/update.go
+++ b/cmd/tailscale/cli/update.go
@@ -44,27 +44,17 @@ var updateCmd = &ffcli.Command{
 		fs := newFlagSet("update")
 		fs.BoolVar(&updateArgs.yes, "yes", false, "update without interactive prompts")
 		fs.BoolVar(&updateArgs.dryRun, "dry-run", false, "print what update would do without doing it, or prompts")
-		fs.BoolVar(&updateArgs.appStore, "app-store", false, "HIDDEN: check the App Store for updates, even if this is not an App Store install (for testing only)")
-		// These flags are not supported on several systems that only provide
-		// the latest version of Tailscale:
-		//
-		//  - Arch (and other pacman-based distros)
-		//  - Alpine (and other apk-based distros)
-		//  - FreeBSD (and other pkg-based distros)
-		if distro.Get() != distro.Arch && distro.Get() != distro.Alpine && runtime.GOOS != "freebsd" {
-			fs.StringVar(&updateArgs.track, "track", "", `which track to check for updates: "stable" or "unstable" (dev); empty means same as current`)
-			fs.StringVar(&updateArgs.version, "version", "", `explicit version to update/downgrade to`)
-		}
+		fs.StringVar(&updateArgs.track, "track", "", `which track to check for updates: "stable" or "unstable" (dev); empty means same as current`)
+		fs.StringVar(&updateArgs.version, "version", "", `explicit version to update/downgrade to`)
 		return fs
 	})(),
 }

 var updateArgs struct {
-	yes      bool
-	dryRun   bool
-	appStore bool
-	track    string // explicit track; empty means same as current
-	version  string // explicit version; empty means auto
+	yes     bool
+	dryRun  bool
+	track   string // explicit track; empty means same as current
+	version string // explicit version; empty means auto
 }

 // winMSIEnv is the environment variable that, if set, is the MSI file for the
@@ -147,37 +137,16 @@ func newUpdater() (*updater, error) {
 			up.update = up.updateSynology
 		case distro.Debian: // includes Ubuntu
 			up.update = up.updateDebLike
-		case distro.Arch:
-			up.update = up.updateArchLike
-		case distro.Alpine:
-			up.update = up.updateAlpineLike
-		}
-		// TODO(awly): add support for Alpine
-		switch {
-		case haveExecutable("pacman"):
-			up.update = up.updateArchLike
-		case haveExecutable("apt-get"): // TODO(awly): add support for "apt"
-			// The distro.Debian switch case above should catch most apt-based
-			// systems, but add this fallback just in case.
-			up.update = up.updateDebLike
-		case haveExecutable("dnf"):
-			up.update = up.updateFedoraLike("dnf")
-		case haveExecutable("yum"):
-			up.update = up.updateFedoraLike("yum")
-		case haveExecutable("apk"):
-			up.update = up.updateAlpineLike
 		}
 	case "darwin":
 		switch {
-		case !updateArgs.appStore && !version.IsSandboxedMacOS():
+		case !version.IsSandboxedMacOS():
 			return nil, errors.New("The 'update' command is not yet supported on this platform; see https://github.com/tailscale/tailscale/wiki/Tailscaled-on-macOS/ for now")
-		case !updateArgs.appStore && strings.HasSuffix(os.Getenv("HOME"), "/io.tailscale.ipn.macsys/Data"):
+		case strings.HasSuffix(os.Getenv("HOME"), "/io.tailscale.ipn.macsys/Data"):
 			up.update = up.updateMacSys
 		default:
-			up.update = up.updateMacAppStore
+			return nil, errors.New("This is the macOS App Store version of Tailscale; update in the App Store, or see https://tailscale.com/s/unstable-clients to use TestFlight or to install the non-App Store version")
 		}
-	case "freebsd":
-		up.update = up.updateFreeBSD
 	}
 	if up.update == nil {
 		return nil, errors.New("The 'update' command is not supported on this platform; see https://tailscale.com/s/client-updates")
@@ -202,8 +171,6 @@ func (up *updater) currentOrDryRun(ver string) bool {
 	return false
 }

-var errUserAborted = errors.New("aborting update")
-
 func (up *updater) confirm(ver string) error {
 	if updateArgs.yes {
 		log.Printf("Updating Tailscale from %v to %v; --yes given, continuing without prompts.\n", version.Short(), ver)
@@ -218,7 +185,7 @@ func (up *updater) confirm(ver string) error {
 	case "y", "yes", "sure":
 		return nil
 	}
-	return errUserAborted
+	return errors.New("aborting update")
 }

 func (up *updater) updateSynology() error {
@@ -230,22 +197,48 @@ func (up *updater) updateSynology() error {
 }

 func (up *updater) updateDebLike() error {
-	ver, err := requestedTailscaleVersion(updateArgs.version, up.track)
-	if err != nil {
-		return err
+	ver := updateArgs.version
+	if ver == "" {
+		res, err := http.Get("https://pkgs.tailscale.com/" + up.track + "/?mode=json")
+		if err != nil {
+			return err
+		}
+		var latest struct {
+			Tarballs map[string]string // ~goarch (ignoring "geode") => "tailscale_1.34.2_mips.tgz"
+		}
+		err = json.NewDecoder(res.Body).Decode(&latest)
+		res.Body.Close()
+		if err != nil {
+			return fmt.Errorf("decoding JSON: %v: %w", res.Status, err)
+		}
+		f, ok := latest.Tarballs[runtime.GOARCH]
+		if !ok {
+			return fmt.Errorf("can't update architecture %q", runtime.GOARCH)
+		}
+		ver, _, ok = strings.Cut(strings.TrimPrefix(f, "tailscale_"), "_")
+		if !ok {
+			return fmt.Errorf("can't parse version from %q", f)
+		}
 	}
 	if up.currentOrDryRun(ver) {
 		return nil
 	}

-	if err := requireRoot(); err != nil {
-		return err
+	track := "unstable"
+	if stable, ok := versionIsStable(ver); !ok {
+		return fmt.Errorf("malformed version %q", ver)
+	} else if stable {
+		track = "stable"
 	}

-	if updated, err := updateDebianAptSourcesList(up.track); err != nil {
+	if os.Geteuid() != 0 {
+		return errors.New("must be root; use sudo")
+	}
+
+	if updated, err := updateDebianAptSourcesList(track); err != nil {
 		return err
 	} else if updated {
-		fmt.Printf("Updated %s to use the %s track\n", aptSourcesFile, up.track)
+		fmt.Printf("Updated %s to use the %s track\n", aptSourcesFile, track)
 	}

 	cmd := exec.Command("apt-get", "update",
@@ -331,204 +324,6 @@ func updateDebianAptSourcesListBytes(was []byte, dstTrack string) (newContent []
 	return buf.Bytes(), nil
 }

-func (up *updater) updateArchLike() (err error) {
-	if err := requireRoot(); err != nil {
-		return err
-	}
-
-	defer func() {
-		if err != nil && !errors.Is(err, errUserAborted) {
-			err = fmt.Errorf(`%w; you can try updating using "pacman --sync --refresh tailscale"`, err)
-		}
-	}()
-
-	out, err := exec.Command("pacman", "--sync", "--refresh", "--info", "tailscale").CombinedOutput()
-	if err != nil {
-		return fmt.Errorf("failed checking pacman for latest tailscale version: %w, output: %q", err, out)
-	}
-	ver, err := parsePacmanVersion(out)
-	if err != nil {
-		return err
-	}
-	if up.currentOrDryRun(ver) {
-		return nil
-	}
-	if err := up.confirm(ver); err != nil {
-		return err
-	}
-
-	cmd := exec.Command("pacman", "--sync", "--noconfirm", "tailscale")
-	cmd.Stdout = os.Stdout
-	cmd.Stderr = os.Stderr
-	if err := cmd.Run(); err != nil {
-		return fmt.Errorf("failed tailscale update using pacman: %w", err)
-	}
-	return nil
-}
-
-func parsePacmanVersion(out []byte) (string, error) {
-	for _, line := range strings.Split(string(out), "\n") {
-		// The line we're looking for looks like this:
-		// Version         : 1.44.2-1
-		if !strings.HasPrefix(line, "Version") {
-			continue
-		}
-		parts := strings.SplitN(line, ":", 2)
-		if len(parts) != 2 {
-			return "", fmt.Errorf("version output from pacman is malformed: %q, cannot determine upgrade version", line)
-		}
-		ver := strings.TrimSpace(parts[1])
-		// Trim the Arch patch version.
-		ver = strings.Split(ver, "-")[0]
-		if ver == "" {
-			return "", fmt.Errorf("version output from pacman is malformed: %q, cannot determine upgrade version", line)
-		}
-		return ver, nil
-	}
-	return "", fmt.Errorf("could not find latest version of tailscale via pacman")
-}
-
-const yumRepoConfigFile = "/etc/yum.repos.d/tailscale.repo"
-
-// updateFedoraLike updates tailscale on any distros in the Fedora family,
-// specifically anything that uses "dnf" or "yum" package managers. The actual
-// package manager is passed via packageManager.
-func (up *updater) updateFedoraLike(packageManager string) func() error {
-	return func() (err error) {
-		if err := requireRoot(); err != nil {
-			return err
-		}
-		defer func() {
-			if err != nil && !errors.Is(err, errUserAborted) {
-				err = fmt.Errorf(`%w; you can try updating using "%s upgrade tailscale"`, err, packageManager)
-			}
-		}()
-
-		ver, err := requestedTailscaleVersion(updateArgs.version, up.track)
-		if err != nil {
-			return err
-		}
-		if up.currentOrDryRun(ver) {
-			return nil
-		}
-		if err := up.confirm(ver); err != nil {
-			return err
-		}
-
-		if updated, err := updateYUMRepoTrack(yumRepoConfigFile, up.track); err != nil {
-			return err
-		} else if updated {
-			fmt.Printf("Updated %s to use the %s track\n", yumRepoConfigFile, up.track)
-		}
-
-		cmd := exec.Command(packageManager, "install", "--assumeyes", fmt.Sprintf("tailscale-%s-1", ver))
-		cmd.Stdout = os.Stdout
-		cmd.Stderr = os.Stderr
-		if err := cmd.Run(); err != nil {
-			return err
-		}
-		return nil
-	}
-}
-
-// updateYUMRepoTrack updates the repoFile file to make sure it has the
-// provided track (stable or unstable) in it.
-func updateYUMRepoTrack(repoFile, dstTrack string) (rewrote bool, err error) {
-	was, err := os.ReadFile(repoFile)
-	if err != nil {
-		return false, err
-	}
-
-	urlRe := regexp.MustCompile(`^(baseurl|gpgkey)=https://pkgs\.tailscale\.com/(un)?stable/`)
-	urlReplacement := fmt.Sprintf("$1=https://pkgs.tailscale.com/%s/", dstTrack)
-
-	s := bufio.NewScanner(bytes.NewReader(was))
-	newContent := bytes.NewBuffer(make([]byte, 0, len(was)))
-	for s.Scan() {
-		line := s.Text()
-		// Handle repo section name, like "[tailscale-stable]".
-		if len(line) > 0 && line[0] == '[' {
-			if !strings.HasPrefix(line, "[tailscale-") {
-				return false, fmt.Errorf("%q does not look like a tailscale repo file, it contains an unexpected %q section", repoFile, line)
-			}
-			fmt.Fprintf(newContent, "[tailscale-%s]\n", dstTrack)
-			continue
-		}
-		// Update the track mentioned in repo name.
-		if strings.HasPrefix(line, "name=") {
-			fmt.Fprintf(newContent, "name=Tailscale %s\n", dstTrack)
-			continue
-		}
-		// Update the actual repo URLs.
-		if strings.HasPrefix(line, "baseurl=") || strings.HasPrefix(line, "gpgkey=") {
-			fmt.Fprintln(newContent, urlRe.ReplaceAllString(line, urlReplacement))
-			continue
-		}
-		fmt.Fprintln(newContent, line)
-	}
-	if bytes.Equal(was, newContent.Bytes()) {
-		return false, nil
-	}
-	return true, os.WriteFile(repoFile, newContent.Bytes(), 0644)
-}
-
-func (up *updater) updateAlpineLike() (err error) {
-	if err := requireRoot(); err != nil {
-		return err
-	}
-
-	defer func() {
-		if err != nil && !errors.Is(err, errUserAborted) {
-			err = fmt.Errorf(`%w; you can try updating using "apk upgrade tailscale"`, err)
-		}
-	}()
-
-	out, err := exec.Command("apk", "update").CombinedOutput()
-	if err != nil {
-		return fmt.Errorf("failed refresh apk repository indexes: %w, output: %q", err, out)
-	}
-	out, err = exec.Command("apk", "info", "tailscale").CombinedOutput()
-	if err != nil {
-		return fmt.Errorf("failed checking apk for latest tailscale version: %w, output: %q", err, out)
-	}
-	ver, err := parseAlpinePackageVersion(out)
-	if err != nil {
-		return fmt.Errorf(`failed to parse latest version from "apk info tailscale": %w`, err)
-	}
-	if up.currentOrDryRun(ver) {
-		return nil
-	}
-	if err := up.confirm(ver); err != nil {
-		return err
-	}
-
-	cmd := exec.Command("apk", "upgrade", "tailscale")
-	cmd.Stdout = os.Stdout
-	cmd.Stderr = os.Stderr
-	if err := cmd.Run(); err != nil {
-		return fmt.Errorf("failed tailscale update using apk: %w", err)
-	}
-	return nil
-}
-
-func parseAlpinePackageVersion(out []byte) (string, error) {
-	s := bufio.NewScanner(bytes.NewReader(out))
-	for s.Scan() {
-		// The line should look like this:
-		// tailscale-1.44.2-r0 description:
-		line := strings.TrimSpace(s.Text())
-		if !strings.HasPrefix(line, "tailscale-") {
-			continue
-		}
-		parts := strings.SplitN(line, "-", 3)
-		if len(parts) < 3 {
-			return "", fmt.Errorf("malformed info line: %q", line)
-		}
-		return parts[1], nil
-	}
-	return "", errors.New("tailscale version not found in output")
-}
-
 func (up *updater) updateMacSys() error {
 	// use sparkle? do we have permissions from this context? does sudo help?
 	// We can at least fail with a command they can run to update from the shell.
@@ -538,68 +333,30 @@ func (up *updater) updateMacSys() error {
 	return errors.New("The 'update' command is not yet implemented on macOS.")
 }

-func (up *updater) updateMacAppStore() error {
-	out, err := exec.Command("defaults", "read", "/Library/Preferences/com.apple.commerce.plist", "AutoUpdate").CombinedOutput()
-	if err != nil {
-		return fmt.Errorf("can't check App Store auto-update setting: %w, output: %q", err, string(out))
-	}
-	const on = "1\n"
-	if string(out) != on {
-		fmt.Fprintln(os.Stderr, "NOTE: Automatic updating for App Store apps is turned off. You can change this setting in System Settings (search for ‘update’).")
-	}
-
-	out, err = exec.Command("softwareupdate", "--list").CombinedOutput()
-	if err != nil {
-		return fmt.Errorf("can't check App Store for available updates: %w, output: %q", err, string(out))
-	}
-
-	newTailscale := parseSoftwareupdateList(out)
-	if newTailscale == "" {
-		fmt.Println("no Tailscale update available")
-		return nil
-	}
-
-	newTailscaleVer := strings.TrimPrefix(newTailscale, "Tailscale-")
-	if up.currentOrDryRun(newTailscaleVer) {
-		return nil
-	}
-	if err := up.confirm(newTailscaleVer); err != nil {
-		return err
-	}
-
-	cmd := exec.Command("sudo", "softwareupdate", "--install", newTailscale)
-	cmd.Stdout = os.Stdout
-	cmd.Stderr = os.Stderr
-	if err := cmd.Run(); err != nil {
-		return fmt.Errorf("can't install App Store update for Tailscale: %w", err)
-	}
-	return nil
-}
-
-var macOSAppStoreListPattern = regexp.MustCompile(`(?m)^\s+\*\s+Label:\s*(Tailscale-\d[\d\.]+)`)
-
-// parseSoftwareupdateList searches the output of `softwareupdate --list` on
-// Darwin and returns the matching Tailscale package label. If there is none,
-// returns the empty string.
-//
-// See TestParseSoftwareupdateList for example inputs.
-func parseSoftwareupdateList(stdout []byte) string {
-	matches := macOSAppStoreListPattern.FindSubmatch(stdout)
-	if len(matches) < 2 {
-		return ""
-	}
-	return string(matches[1])
-}
-
 var (
 	verifyAuthenticode func(string) error // or nil on non-Windows
 	markTempFileFunc   func(string) error // or nil on non-Windows
 )

 func (up *updater) updateWindows() error {
-	ver, err := requestedTailscaleVersion(updateArgs.version, up.track)
-	if err != nil {
-		return err
+	ver := updateArgs.version
+	if ver == "" {
+		res, err := http.Get("https://pkgs.tailscale.com/" + up.track + "/?mode=json&os=windows")
+		if err != nil {
+			return err
+		}
+		var latest struct {
+			Version string
+		}
+		err = json.NewDecoder(res.Body).Decode(&latest)
+		res.Body.Close()
+		if err != nil {
+			return fmt.Errorf("decoding JSON: %v: %w", res.Status, err)
+		}
+		ver = latest.Version
+		if ver == "" {
+			return errors.New("no version found")
+		}
 	}
 	arch := runtime.GOARCH
 	if arch == "386" {
@@ -828,81 +585,3 @@ func (pw *progressWriter) print() {
 	pw.lastPrint = time.Now()
 	log.Printf("Downloaded %v/%v (%.1f%%)", pw.done, pw.total, float64(pw.done)/float64(pw.total)*100)
 }
-
-func (up *updater) updateFreeBSD() (err error) {
-	if err := requireRoot(); err != nil {
-		return err
-	}
-
-	defer func() {
-		if err != nil && !errors.Is(err, errUserAborted) {
-			err = fmt.Errorf(`%w; you can try updating using "pkg upgrade tailscale"`, err)
-		}
-	}()
-
-	out, err := exec.Command("pkg", "update").CombinedOutput()
-	if err != nil {
-		return fmt.Errorf("failed refresh pkg repository indexes: %w, output: %q", err, out)
-	}
-	out, err = exec.Command("pkg", "rquery", "%v", "tailscale").CombinedOutput()
-	if err != nil {
-		return fmt.Errorf("failed checking pkg for latest tailscale version: %w, output: %q", err, out)
-	}
-	ver := string(bytes.TrimSpace(out))
-	if up.currentOrDryRun(ver) {
-		return nil
-	}
-	if err := up.confirm(ver); err != nil {
-		return err
-	}
-
-	cmd := exec.Command("pkg", "upgrade", "tailscale")
-	cmd.Stdout = os.Stdout
-	cmd.Stderr = os.Stderr
-	if err := cmd.Run(); err != nil {
-		return fmt.Errorf("failed tailscale update using pkg: %w", err)
-	}
-	return nil
-}
-
-func haveExecutable(name string) bool {
-	path, err := exec.LookPath(name)
-	return err == nil && path != ""
-}
-
-func requestedTailscaleVersion(ver, track string) (string, error) {
-	if ver != "" {
-		return ver, nil
-	}
-	url := fmt.Sprintf("https://pkgs.tailscale.com/%s/?mode=json&os=%s", track, runtime.GOOS)
-	res, err := http.Get(url)
-	if err != nil {
-		return "", fmt.Errorf("fetching latest tailscale version: %w", err)
-	}
-	var latest struct {
-		Version string
-	}
-	err = json.NewDecoder(res.Body).Decode(&latest)
-	res.Body.Close()
-	if err != nil {
-		return "", fmt.Errorf("decoding JSON: %v: %w", res.Status, err)
-	}
-	if latest.Version == "" {
-		return "", fmt.Errorf("no version found at %q", url)
-	}
-	return latest.Version, nil
-}
-
-func requireRoot() error {
-	if os.Geteuid() == 0 {
-		return nil
-	}
-	switch runtime.GOOS {
-	case "linux":
-		return errors.New("must be root; use sudo")
-	case "freebsd", "openbsd":
-		return errors.New("must be root; use doas")
-	default:
-		return errors.New("must be root")
-	}
-}
--- a/cmd/tailscale/cli/update_test.go
+++ b/cmd/tailscale/cli/update_test.go
@@ -3,11 +3,7 @@

 package cli

-import (
-	"os"
-	"path/filepath"
-	"testing"
-)
+import "testing"

 func TestUpdateDebianAptSourcesListBytes(t *testing.T) {
 	tests := []struct {
@@ -77,366 +73,3 @@ func TestUpdateDebianAptSourcesListBytes(t *testing.T) {
 		})
 	}
 }
-
-func TestParseSoftwareupdateList(t *testing.T) {
-	tests := []struct {
-		name  string
-		input []byte
-		want  string
-	}{
-		{
-			name: "update-at-end-of-list",
-			input: []byte(`
-	 Software Update Tool
-
-	 Finding available software
-	 Software Update found the following new or updated software:
-			* Label: MacBookAirEFIUpdate2.4-2.4
-					 Title: MacBook Air EFI Firmware Update, Version: 2.4, Size: 3817K, Recommended: YES, Action: restart,
-			* Label: ProAppsQTCodecs-1.0
-					 Title: ProApps QuickTime codecs, Version: 1.0, Size: 968K, Recommended: YES,
-			* Label: Tailscale-1.23.4
-					 Title: The Tailscale VPN, Version: 1.23.4, Size: 1023K, Recommended: YES,
-`),
-			want: "Tailscale-1.23.4",
-		},
-		{
-			name: "update-in-middle-of-list",
-			input: []byte(`
-	 Software Update Tool
-
-	 Finding available software
-	 Software Update found the following new or updated software:
-			* Label: MacBookAirEFIUpdate2.4-2.4
-					 Title: MacBook Air EFI Firmware Update, Version: 2.4, Size: 3817K, Recommended: YES, Action: restart,
-			* Label: Tailscale-1.23.5000
-					 Title: The Tailscale VPN, Version: 1.23.4, Size: 1023K, Recommended: YES,
-			* Label: ProAppsQTCodecs-1.0
-					 Title: ProApps QuickTime codecs, Version: 1.0, Size: 968K, Recommended: YES,
-`),
-			want: "Tailscale-1.23.5000",
-		},
-		{
-			name: "update-not-in-list",
-			input: []byte(`
-	 Software Update Tool
-
-	 Finding available software
-	 Software Update found the following new or updated software:
-			* Label: MacBookAirEFIUpdate2.4-2.4
-					 Title: MacBook Air EFI Firmware Update, Version: 2.4, Size: 3817K, Recommended: YES, Action: restart,
-			* Label: ProAppsQTCodecs-1.0
-					 Title: ProApps QuickTime codecs, Version: 1.0, Size: 968K, Recommended: YES,
-`),
-			want: "",
-		},
-		{
-			name: "decoy-in-list",
-			input: []byte(`
-	 Software Update Tool
-
-	 Finding available software
-	 Software Update found the following new or updated software:
-			* Label: MacBookAirEFIUpdate2.4-2.4
-					 Title: MacBook Air EFI Firmware Update, Version: 2.4, Size: 3817K, Recommended: YES, Action: restart,
-			* Label: Malware-1.0
-					 Title: * Label: Tailscale-0.99.0, Version: 1.0, Size: 968K, Recommended: NOT REALLY TBH,
-`),
-			want: "",
-		},
-	}
-
-	for _, test := range tests {
-		t.Run(test.name, func(t *testing.T) {
-			got := parseSoftwareupdateList(test.input)
-			if test.want != got {
-				t.Fatalf("got %q, want %q", got, test.want)
-			}
-		})
-	}
-}
-
-func TestParsePacmanVersion(t *testing.T) {
-	tests := []struct {
-		desc    string
-		out     string
-		want    string
-		wantErr bool
-	}{
-		{
-			desc: "valid version",
-			out: `
-:: Synchronizing package databases...
- endeavouros is up to date
- core is up to date
- extra is up to date
- multilib is up to date
-Repository      : extra
-Name            : tailscale
-Version         : 1.44.2-1
-Description     : A mesh VPN that makes it easy to connect your devices, wherever they are.
-Architecture    : x86_64
-URL             : https://tailscale.com
-Licenses        : MIT
-Groups          : None
-Provides        : None
-Depends On      : glibc
-Optional Deps   : None
-Conflicts With  : None
-Replaces        : None
-Download Size   : 7.98 MiB
-Installed Size  : 32.47 MiB
-Packager        : Christian Heusel <gromit@archlinux.org>
-Build Date      : Tue 18 Jul 2023 12:28:37 PM PDT
-Validated By    : MD5 Sum  SHA-256 Sum  Signature
-`,
-			want: "1.44.2",
-		},
-		{
-			desc: "version without Arch patch number",
-			out: `
-... snip ...
-Name            : tailscale
-Version         : 1.44.2
-Description     : A mesh VPN that makes it easy to connect your devices, wherever they are.
-... snip ...
-`,
-			want: "1.44.2",
-		},
-		{
-			desc: "missing version",
-			out: `
-... snip ...
-Name            : tailscale
-Description     : A mesh VPN that makes it easy to connect your devices, wherever they are.
-... snip ...
-`,
-			wantErr: true,
-		},
-		{
-			desc: "empty version",
-			out: `
-... snip ...
-Name            : tailscale
-Version         :
-Description     : A mesh VPN that makes it easy to connect your devices, wherever they are.
-... snip ...
-`,
-			wantErr: true,
-		},
-		{
-			desc:    "empty input",
-			out:     "",
-			wantErr: true,
-		},
-		{
-			desc: "sneaky version in description",
-			out: `
-... snip ...
-Name            : tailscale
-Description     : A mesh VPN that makes it easy to connect your devices, wherever they are. Version : 1.2.3
-Version         : 1.44.2
-... snip ...
-`,
-			want: "1.44.2",
-		},
-	}
-
-	for _, tt := range tests {
-		t.Run(tt.desc, func(t *testing.T) {
-			got, err := parsePacmanVersion([]byte(tt.out))
-			if err == nil && tt.wantErr {
-				t.Fatalf("got nil error and version %q, want non-nil error", got)
-			}
-			if err != nil && !tt.wantErr {
-				t.Fatalf("got error: %q, want nil", err)
-			}
-			if got != tt.want {
-				t.Fatalf("got version: %q, want %q", got, tt.want)
-			}
-		})
-	}
-}
-
-func TestUpdateYUMRepoTrack(t *testing.T) {
-	tests := []struct {
-		desc    string
-		before  string
-		track   string
-		after   string
-		rewrote bool
-		wantErr bool
-	}{
-		{
-			desc: "same track",
-			before: `
-[tailscale-stable]
-name=Tailscale stable
-baseurl=https://pkgs.tailscale.com/stable/fedora/$basearch
-enabled=1
-type=rpm
-repo_gpgcheck=1
-gpgcheck=0
-gpgkey=https://pkgs.tailscale.com/stable/fedora/repo.gpg
-`,
-			track: "stable",
-			after: `
-[tailscale-stable]
-name=Tailscale stable
-baseurl=https://pkgs.tailscale.com/stable/fedora/$basearch
-enabled=1
-type=rpm
-repo_gpgcheck=1
-gpgcheck=0
-gpgkey=https://pkgs.tailscale.com/stable/fedora/repo.gpg
-`,
-		},
-		{
-			desc: "change track",
-			before: `
-[tailscale-stable]
-name=Tailscale stable
-baseurl=https://pkgs.tailscale.com/stable/fedora/$basearch
-enabled=1
-type=rpm
-repo_gpgcheck=1
-gpgcheck=0
-gpgkey=https://pkgs.tailscale.com/stable/fedora/repo.gpg
-`,
-			track: "unstable",
-			after: `
-[tailscale-unstable]
-name=Tailscale unstable
-baseurl=https://pkgs.tailscale.com/unstable/fedora/$basearch
-enabled=1
-type=rpm
-repo_gpgcheck=1
-gpgcheck=0
-gpgkey=https://pkgs.tailscale.com/unstable/fedora/repo.gpg
-`,
-			rewrote: true,
-		},
-		{
-			desc: "non-tailscale repo file",
-			before: `
-[fedora]
-name=Fedora $releasever - $basearch
-#baseurl=http://download.example/pub/fedora/linux/releases/$releasever/Everything/$basearch/os/
-metalink=https://mirrors.fedoraproject.org/metalink?repo=fedora-$releasever&arch=$basearch
-enabled=1
-countme=1
-metadata_expire=7d
-repo_gpgcheck=0
-type=rpm
-gpgcheck=1
-gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-$releasever-$basearch
-skip_if_unavailable=False
-`,
-			track:   "stable",
-			wantErr: true,
-		},
-	}
-
-	for _, tt := range tests {
-		t.Run(tt.desc, func(t *testing.T) {
-			path := filepath.Join(t.TempDir(), "tailscale.repo")
-			if err := os.WriteFile(path, []byte(tt.before), 0644); err != nil {
-				t.Fatal(err)
-			}
-
-			rewrote, err := updateYUMRepoTrack(path, tt.track)
-			if err == nil && tt.wantErr {
-				t.Fatal("got nil error, want non-nil")
-			}
-			if err != nil && !tt.wantErr {
-				t.Fatalf("got error %q, want nil", err)
-			}
-			if err != nil {
-				return
-			}
-			if rewrote != tt.rewrote {
-				t.Errorf("got rewrote flag %v, want %v", rewrote, tt.rewrote)
-			}
-
-			after, err := os.ReadFile(path)
-			if err != nil {
-				t.Fatal(err)
-			}
-			if string(after) != tt.after {
-				t.Errorf("got repo file after update:\n%swant:\n%s", after, tt.after)
-			}
-		})
-	}
-}
-
-func TestParseAlpinePackageVersion(t *testing.T) {
-	tests := []struct {
-		desc    string
-		out     string
-		want    string
-		wantErr bool
-	}{
-		{
-			desc: "valid version",
-			out: `
-tailscale-1.44.2-r0 description:
-The easiest, most secure way to use WireGuard and 2FA
-
-tailscale-1.44.2-r0 webpage:
-https://tailscale.com/
-
-tailscale-1.44.2-r0 installed size:
-32 MiB
-`,
-			want: "1.44.2",
-		},
-		{
-			desc: "wrong package output",
-			out: `
-busybox-1.36.1-r0 description:
-Size optimized toolbox of many common UNIX utilities
-
-busybox-1.36.1-r0 webpage:
-https://busybox.net/
-
-busybox-1.36.1-r0 installed size:
-924 KiB
-`,
-			wantErr: true,
-		},
-		{
-			desc: "missing version",
-			out: `
-tailscale description:
-The easiest, most secure way to use WireGuard and 2FA
-
-tailscale webpage:
-https://tailscale.com/
-
-tailscale installed size:
-32 MiB
-`,
-			wantErr: true,
-		},
-		{
-			desc:    "empty output",
-			out:     "",
-			wantErr: true,
-		},
-	}
-
-	for _, tt := range tests {
-		t.Run(tt.desc, func(t *testing.T) {
-			got, err := parseAlpinePackageVersion([]byte(tt.out))
-			if err == nil && tt.wantErr {
-				t.Fatalf("got nil error and version %q, want non-nil error", got)
-			}
-			if err != nil && !tt.wantErr {
-				t.Fatalf("got error: %q, want nil", err)
-			}
-			if got != tt.want {
-				t.Fatalf("got version: %q, want %q", got, tt.want)
-			}
-		})
-	}
-}
--- a/cmd/tailscale/cli/web.go
+++ b/cmd/tailscale/cli/web.go
@@ -29,7 +29,6 @@ import (
 	"tailscale.com/ipn"
 	"tailscale.com/ipn/ipnstate"
 	"tailscale.com/tailcfg"
-	"tailscale.com/util/cmpx"
 	"tailscale.com/util/groupmember"
 	"tailscale.com/version/distro"
 )
@@ -156,7 +155,10 @@ func runWeb(ctx context.Context, args []string) error {
 // urlOfListenAddr parses a given listen address into a formatted URL
 func urlOfListenAddr(addr string) string {
 	host, port, _ := net.SplitHostPort(addr)
-	return fmt.Sprintf("http://%s", net.JoinHostPort(cmpx.Or(host, "127.0.0.1"), port))
+	if host == "" {
+		host = "127.0.0.1"
+	}
+	return fmt.Sprintf("http://%s", net.JoinHostPort(host, port))
 }

 // authorize returns the name of the user accessing the web UI after verifying
@@ -440,9 +442,9 @@ func webHandler(w http.ResponseWriter, r *http.Request) {
 		LicensesURL:  licensesURL(),
 		TUNMode:      st.TUN,
 		IsSynology:   distro.Get() == distro.Synology || envknob.Bool("TS_FAKE_SYNOLOGY"),
-		DSMVersion:   distro.DSMVersion(),
 		IsUnraid:     distro.Get() == distro.Unraid,
 		UnraidToken:  os.Getenv("UNRAID_CSRF_TOKEN"),
+		DSMVersion:   distro.DSMVersion(),
 		IPNVersion:   versionShort,
 	}
 	exitNodeRouteV4 := netip.MustParsePrefix("0.0.0.0/0")
--- a/cmd/tailscale/cli/web.html
+++ b/cmd/tailscale/cli/web.html
@@ -144,14 +144,12 @@ function postData(e) {
 	const nextUrl = new URL(window.location);
 	nextUrl.search = nextParams.toString()

-	let body = JSON.stringify(data);
 	let contentType = "application/json";
-
+	let body = JSON.stringify(data);
 	if (isUnraid) {
 		const params = new URLSearchParams();
 		params.append("csrf_token", unraidCsrfToken);
 		params.append("ts_data", JSON.stringify(data));
-
 		body = params.toString();
 		contentType = "application/x-www-form-urlencoded;charset=UTF-8";
 	}
--- a/cmd/tailscale/depaware.txt
+++ b/cmd/tailscale/depaware.txt
@@ -10,15 +10,8 @@ tailscale.com/cmd/tailscale dependencies: (generated by github.com/tailscale/dep
   W 💣 github.com/alexbrainman/sspi                                 from github.com/alexbrainman/sspi/negotiate+
   W    github.com/alexbrainman/sspi/internal/common                 from github.com/alexbrainman/sspi/negotiate
   W 💣 github.com/alexbrainman/sspi/negotiate                       from tailscale.com/net/tshttpproxy
-   L    github.com/coreos/go-iptables/iptables                       from tailscale.com/util/linuxfw
        github.com/fxamacker/cbor/v2                                 from tailscale.com/tka
        github.com/golang/groupcache/lru                             from tailscale.com/net/dnscache
-   L    github.com/google/nftables                                   from tailscale.com/util/linuxfw
-   L 💣 github.com/google/nftables/alignedbuff                       from github.com/google/nftables/xt
-   L 💣 github.com/google/nftables/binaryutil                        from github.com/google/nftables+
-   L    github.com/google/nftables/expr                              from github.com/google/nftables+
-   L    github.com/google/nftables/internal/parseexprfunc            from github.com/google/nftables+
-   L    github.com/google/nftables/xt                                from github.com/google/nftables/expr+
        github.com/google/uuid                                       from tailscale.com/util/quarantine+
        github.com/hdevalence/ed25519consensus                       from tailscale.com/tka
   L    github.com/josharian/native                                  from github.com/mdlayher/netlink+
@@ -30,9 +23,7 @@ tailscale.com/cmd/tailscale dependencies: (generated by github.com/tailscale/dep
     💣 github.com/mattn/go-isatty                                   from github.com/mattn/go-colorable+
   L 💣 github.com/mdlayher/netlink                                  from github.com/jsimonetti/rtnetlink+
   L 💣 github.com/mdlayher/netlink/nlenc                            from github.com/jsimonetti/rtnetlink+
-   L    github.com/mdlayher/netlink/nltest                           from github.com/google/nftables
   L 💣 github.com/mdlayher/socket                                   from github.com/mdlayher/netlink
-        github.com/miekg/dns                                         from tailscale.com/net/dns/recursive
     💣 github.com/mitchellh/go-ps                                   from tailscale.com/cmd/tailscale/cli+
        github.com/peterbourgon/ff/v3                                from github.com/peterbourgon/ff/v3/ffcli
        github.com/peterbourgon/ff/v3/ffcli                          from tailscale.com/cmd/tailscale/cli
@@ -45,11 +36,8 @@ tailscale.com/cmd/tailscale dependencies: (generated by github.com/tailscale/dep
        github.com/tailscale/goupnp/scpd                             from github.com/tailscale/goupnp
        github.com/tailscale/goupnp/soap                             from github.com/tailscale/goupnp+
        github.com/tailscale/goupnp/ssdp                             from github.com/tailscale/goupnp
-   L 💣 github.com/tailscale/netlink                                 from tailscale.com/util/linuxfw
        github.com/tcnksm/go-httpstat                                from tailscale.com/net/netcheck
        github.com/toqueteos/webbrowser                              from tailscale.com/cmd/tailscale/cli
-   L 💣 github.com/vishvananda/netlink/nl                            from github.com/tailscale/netlink
-   L    github.com/vishvananda/netns                                 from github.com/tailscale/netlink+
        github.com/x448/float16                                      from github.com/fxamacker/cbor/v2
     💣 go4.org/mem                                                  from tailscale.com/derp+
        go4.org/netipx                                               from tailscale.com/wgengine/filter
@@ -80,7 +68,6 @@ tailscale.com/cmd/tailscale dependencies: (generated by github.com/tailscale/dep
        tailscale.com/ipn                                            from tailscale.com/cmd/tailscale/cli+
        tailscale.com/ipn/ipnstate                                   from tailscale.com/cmd/tailscale/cli+
        tailscale.com/metrics                                        from tailscale.com/derp
-        tailscale.com/net/dns/recursive                              from tailscale.com/net/dnsfallback
        tailscale.com/net/dnscache                                   from tailscale.com/derp/derphttp+
        tailscale.com/net/dnsfallback                                from tailscale.com/control/controlhttp
        tailscale.com/net/flowtrack                                  from tailscale.com/wgengine/filter+
@@ -97,7 +84,6 @@ tailscale.com/cmd/tailscale dependencies: (generated by github.com/tailscale/dep
        tailscale.com/net/portmapper                                 from tailscale.com/net/netcheck+
        tailscale.com/net/sockstats                                  from tailscale.com/control/controlhttp+
        tailscale.com/net/stun                                       from tailscale.com/net/netcheck
-   L    tailscale.com/net/tcpinfo                                    from tailscale.com/derp
        tailscale.com/net/tlsdial                                    from tailscale.com/derp/derphttp+
        tailscale.com/net/tsaddr                                     from tailscale.com/net/interfaces+
     💣 tailscale.com/net/tshttpproxy                                from tailscale.com/derp/derphttp+
@@ -108,7 +94,6 @@ tailscale.com/cmd/tailscale dependencies: (generated by github.com/tailscale/dep
        tailscale.com/tailcfg                                        from tailscale.com/cmd/tailscale/cli+
        tailscale.com/tka                                            from tailscale.com/client/tailscale+
   W    tailscale.com/tsconst                                        from tailscale.com/net/interfaces
-        tailscale.com/tstime                                         from tailscale.com/derp+
     💣 tailscale.com/tstime/mono                                    from tailscale.com/tstime/rate
        tailscale.com/tstime/rate                                    from tailscale.com/wgengine/filter+
        tailscale.com/types/dnstype                                  from tailscale.com/tailcfg
@@ -129,13 +114,11 @@ tailscale.com/cmd/tailscale dependencies: (generated by github.com/tailscale/dep
        tailscale.com/util/clientmetric                              from tailscale.com/net/netcheck+
        tailscale.com/util/cloudenv                                  from tailscale.com/net/dnscache+
   W    tailscale.com/util/cmpver                                    from tailscale.com/net/tshttpproxy
-        tailscale.com/util/cmpx                                      from tailscale.com/cmd/tailscale/cli+
   L 💣 tailscale.com/util/dirwalk                                   from tailscale.com/metrics
        tailscale.com/util/dnsname                                   from tailscale.com/cmd/tailscale/cli+
        tailscale.com/util/groupmember                               from tailscale.com/cmd/tailscale/cli
        tailscale.com/util/httpm                                     from tailscale.com/client/tailscale
        tailscale.com/util/lineread                                  from tailscale.com/net/interfaces+
-   L    tailscale.com/util/linuxfw                                   from tailscale.com/net/netns
        tailscale.com/util/mak                                       from tailscale.com/net/netcheck+
        tailscale.com/util/multierr                                  from tailscale.com/control/controlhttp+
        tailscale.com/util/must                                      from tailscale.com/cmd/tailscale/cli
@@ -161,8 +144,7 @@ tailscale.com/cmd/tailscale dependencies: (generated by github.com/tailscale/dep
        golang.org/x/crypto/nacl/secretbox                           from golang.org/x/crypto/nacl/box
        golang.org/x/crypto/pbkdf2                                   from software.sslmate.com/src/go-pkcs12
        golang.org/x/crypto/salsa20/salsa                            from golang.org/x/crypto/nacl/box+
-        golang.org/x/exp/constraints                                 from golang.org/x/exp/slices+
-        golang.org/x/exp/maps                                        from tailscale.com/types/views+
+        golang.org/x/exp/constraints                                 from golang.org/x/exp/slices
        golang.org/x/exp/slices                                      from tailscale.com/net/tsaddr+
        golang.org/x/net/bpf                                         from github.com/mdlayher/netlink+
        golang.org/x/net/dns/dnsmessage                              from net+
@@ -222,7 +204,7 @@ tailscale.com/cmd/tailscale dependencies: (generated by github.com/tailscale/dep
        embed                                                        from tailscale.com/cmd/tailscale/cli+
        encoding                                                     from encoding/json+
        encoding/asn1                                                from crypto/x509+
-        encoding/base32                                              from tailscale.com/tka+
+        encoding/base32                                              from tailscale.com/tka
        encoding/base64                                              from encoding/json+
        encoding/binary                                              from compress/gzip+
        encoding/hex                                                 from crypto/x509+
@@ -246,7 +228,6 @@ tailscale.com/cmd/tailscale dependencies: (generated by github.com/tailscale/dep
        io/fs                                                        from crypto/x509+
        io/ioutil                                                    from golang.org/x/sys/cpu+
        log                                                          from expvar+
-        log/internal                                                 from log
        math                                                         from compress/flate+
        math/big                                                     from crypto/dsa+
        math/bits                                                    from compress/flate+
--- a/cmd/tailscaled/depaware.txt
+++ b/cmd/tailscaled/depaware.txt
@@ -75,7 +75,7 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
   L    github.com/aws/smithy-go/transport/http                      from github.com/aws/aws-sdk-go-v2/aws/middleware+
   L    github.com/aws/smithy-go/transport/http/internal/io          from github.com/aws/smithy-go/transport/http
   L    github.com/aws/smithy-go/waiter                              from github.com/aws/aws-sdk-go-v2/service/ssm
-   L    github.com/coreos/go-iptables/iptables                       from tailscale.com/util/linuxfw
+   L    github.com/coreos/go-iptables/iptables                       from tailscale.com/wgengine/router
  LD 💣 github.com/creack/pty                                        from tailscale.com/ssh/tailssh
   W 💣 github.com/dblohm7/wingoes                                   from github.com/dblohm7/wingoes/com
   W 💣 github.com/dblohm7/wingoes/com                               from tailscale.com/cmd/tailscaled
@@ -86,12 +86,6 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
   L 💣 github.com/godbus/dbus/v5                                    from tailscale.com/net/dns+
        github.com/golang/groupcache/lru                             from tailscale.com/net/dnscache
        github.com/google/btree                                      from gvisor.dev/gvisor/pkg/tcpip/header+
-   L    github.com/google/nftables                                   from tailscale.com/util/linuxfw
-   L 💣 github.com/google/nftables/alignedbuff                       from github.com/google/nftables/xt
-   L 💣 github.com/google/nftables/binaryutil                        from github.com/google/nftables+
-   L    github.com/google/nftables/expr                              from github.com/google/nftables+
-   L    github.com/google/nftables/internal/parseexprfunc            from github.com/google/nftables+
-   L    github.com/google/nftables/xt                                from github.com/google/nftables/expr+
        github.com/hdevalence/ed25519consensus                       from tailscale.com/tka
   L 💣 github.com/illarion/gonotify                                 from tailscale.com/net/dns
   L    github.com/insomniacslk/dhcp/dhcpv4                          from tailscale.com/net/tstun
@@ -115,10 +109,8 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
   L    github.com/mdlayher/genetlink                                from tailscale.com/net/tstun
   L 💣 github.com/mdlayher/netlink                                  from github.com/jsimonetti/rtnetlink+
   L 💣 github.com/mdlayher/netlink/nlenc                            from github.com/jsimonetti/rtnetlink+
-   L    github.com/mdlayher/netlink/nltest                           from github.com/google/nftables
   L    github.com/mdlayher/sdnotify                                 from tailscale.com/util/systemd
   L 💣 github.com/mdlayher/socket                                   from github.com/mdlayher/netlink
-        github.com/miekg/dns                                         from tailscale.com/net/dns/recursive
     💣 github.com/mitchellh/go-ps                                   from tailscale.com/safesocket
   L    github.com/pierrec/lz4/v4                                    from github.com/u-root/uio/uio
   L    github.com/pierrec/lz4/v4/internal/lz4block                  from github.com/pierrec/lz4/v4+
@@ -129,7 +121,6 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
  LD    github.com/pkg/sftp                                          from tailscale.com/ssh/tailssh
  LD    github.com/pkg/sftp/internal/encoding/ssh/filexfer           from github.com/pkg/sftp
   W 💣 github.com/tailscale/certstore                               from tailscale.com/control/controlclient
-        github.com/tailscale/golang-x-crypto/acme                    from tailscale.com/ipn/ipnlocal
  LD    github.com/tailscale/golang-x-crypto/chacha20                from github.com/tailscale/golang-x-crypto/ssh
  LD 💣 github.com/tailscale/golang-x-crypto/internal/alias          from github.com/tailscale/golang-x-crypto/chacha20
  LD    github.com/tailscale/golang-x-crypto/ssh                     from tailscale.com/ipn/ipnlocal+
@@ -251,7 +242,6 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
        tailscale.com/net/connstats                                  from tailscale.com/net/tstun+
        tailscale.com/net/dns                                        from tailscale.com/ipn/ipnlocal+
        tailscale.com/net/dns/publicdns                              from tailscale.com/net/dns/resolver+
-        tailscale.com/net/dns/recursive                              from tailscale.com/net/dnsfallback
        tailscale.com/net/dns/resolvconffile                         from tailscale.com/net/dns+
        tailscale.com/net/dns/resolver                               from tailscale.com/ipn/ipnlocal+
        tailscale.com/net/dnscache                                   from tailscale.com/control/controlclient+
@@ -274,7 +264,6 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
        tailscale.com/net/socks5                                     from tailscale.com/cmd/tailscaled
        tailscale.com/net/sockstats                                  from tailscale.com/control/controlclient+
        tailscale.com/net/stun                                       from tailscale.com/net/netcheck+
-   L    tailscale.com/net/tcpinfo                                    from tailscale.com/derp
        tailscale.com/net/tlsdial                                    from tailscale.com/control/controlclient+
        tailscale.com/net/tsaddr                                     from tailscale.com/ipn+
        tailscale.com/net/tsdial                                     from tailscale.com/control/controlclient+
@@ -293,8 +282,7 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
  LD    tailscale.com/tempfork/gliderlabs/ssh                        from tailscale.com/ssh/tailssh
        tailscale.com/tka                                            from tailscale.com/ipn/ipnlocal+
   W    tailscale.com/tsconst                                        from tailscale.com/net/interfaces
-        tailscale.com/tsd                                            from tailscale.com/cmd/tailscaled+
-        tailscale.com/tstime                                         from tailscale.com/wgengine/magicsock+
+        tailscale.com/tstime                                         from tailscale.com/wgengine/magicsock
     💣 tailscale.com/tstime/mono                                    from tailscale.com/net/tstun+
        tailscale.com/tstime/rate                                    from tailscale.com/wgengine/filter+
        tailscale.com/tsweb/varz                                     from tailscale.com/cmd/tailscaled
@@ -319,7 +307,6 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
        tailscale.com/util/clientmetric                              from tailscale.com/control/controlclient+
        tailscale.com/util/cloudenv                                  from tailscale.com/net/dns/resolver+
  LW    tailscale.com/util/cmpver                                    from tailscale.com/net/dns+
-        tailscale.com/util/cmpx                                      from tailscale.com/derp/derphttp+
     💣 tailscale.com/util/deephash                                  from tailscale.com/ipn/ipnlocal+
   L 💣 tailscale.com/util/dirwalk                                   from tailscale.com/metrics+
        tailscale.com/util/dnsname                                   from tailscale.com/hostinfo+
@@ -328,7 +315,6 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
     💣 tailscale.com/util/hashx                                     from tailscale.com/util/deephash
        tailscale.com/util/httpm                                     from tailscale.com/client/tailscale+
        tailscale.com/util/lineread                                  from tailscale.com/hostinfo+
-   L    tailscale.com/util/linuxfw                                   from tailscale.com/net/netns+
        tailscale.com/util/mak                                       from tailscale.com/control/controlclient+
        tailscale.com/util/multierr                                  from tailscale.com/control/controlclient+
        tailscale.com/util/must                                      from tailscale.com/logpolicy
@@ -359,6 +345,7 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
     💣 tailscale.com/wgengine/wgint                                 from tailscale.com/wgengine
        tailscale.com/wgengine/wglog                                 from tailscale.com/wgengine
   W 💣 tailscale.com/wgengine/winnet                                from tailscale.com/wgengine/router
+        golang.org/x/crypto/acme                                     from tailscale.com/ipn/ipnlocal
        golang.org/x/crypto/argon2                                   from tailscale.com/tka
        golang.org/x/crypto/blake2b                                  from golang.org/x/crypto/nacl/box+
        golang.org/x/crypto/blake2s                                  from github.com/tailscale/wireguard-go/device+
@@ -376,7 +363,7 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
        golang.org/x/crypto/salsa20/salsa                            from golang.org/x/crypto/nacl/box+
  LD    golang.org/x/crypto/ssh                                      from tailscale.com/ssh/tailssh+
        golang.org/x/exp/constraints                                 from golang.org/x/exp/slices+
-        golang.org/x/exp/maps                                        from tailscale.com/wgengine+
+        golang.org/x/exp/maps                                        from tailscale.com/wgengine
        golang.org/x/exp/slices                                      from tailscale.com/ipn/ipnlocal+
        golang.org/x/net/bpf                                         from github.com/mdlayher/genetlink+
        golang.org/x/net/dns/dnsmessage                              from net+
@@ -436,7 +423,7 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
        embed                                                        from tailscale.com+
        encoding                                                     from encoding/json+
        encoding/asn1                                                from crypto/x509+
-        encoding/base32                                              from tailscale.com/tka+
+        encoding/base32                                              from tailscale.com/tka
        encoding/base64                                              from encoding/json+
        encoding/binary                                              from compress/gzip+
        encoding/hex                                                 from crypto/x509+
@@ -457,7 +444,6 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
        io/fs                                                        from crypto/x509+
        io/ioutil                                                    from github.com/godbus/dbus/v5+
        log                                                          from expvar+
-        log/internal                                                 from log
  LD    log/syslog                                                   from tailscale.com/ssh/tailssh
        math                                                         from compress/flate+
        math/big                                                     from crypto/dsa+
--- a/cmd/tailscaled/tailscaled.go
+++ b/cmd/tailscaled/tailscaled.go
@@ -50,7 +50,6 @@ import (
 	"tailscale.com/safesocket"
 	"tailscale.com/smallzstd"
 	"tailscale.com/syncs"
-	"tailscale.com/tsd"
 	"tailscale.com/tsweb/varz"
 	"tailscale.com/types/flagtype"
 	"tailscale.com/types/logger"
@@ -331,18 +330,14 @@ var debugMux *http.ServeMux

 func run() error {
 	var logf logger.Logf = log.Printf
-
-	sys := new(tsd.System)
-
 	netMon, err := netmon.New(func(format string, args ...any) {
 		logf(format, args...)
 	})
 	if err != nil {
 		return fmt.Errorf("netmon.New: %w", err)
 	}
-	sys.Set(netMon)

-	pol := logpolicy.New(logtail.CollectionNode, netMon, nil /* use log.Printf */)
+	pol := logpolicy.New(logtail.CollectionNode, netMon)
 	pol.SetVerbosityLevel(args.verbose)
 	logPol = pol
 	defer func() {
@@ -391,10 +386,10 @@ func run() error {
 		debugMux = newDebugMux()
 	}

-	return startIPNServer(context.Background(), logf, pol.PublicID, sys)
+	return startIPNServer(context.Background(), logf, pol.PublicID, netMon)
 }

-func startIPNServer(ctx context.Context, logf logger.Logf, logID logid.PublicID, sys *tsd.System) error {
+func startIPNServer(ctx context.Context, logf logger.Logf, logID logid.PublicID, netMon *netmon.Monitor) error {
 	ln, err := safesocket.Listen(args.socketpath)
 	if err != nil {
 		return fmt.Errorf("safesocket.Listen: %v", err)
@@ -420,7 +415,7 @@ func startIPNServer(ctx context.Context, logf logger.Logf, logID logid.PublicID,
 		}
 	}()

-	srv := ipnserver.New(logf, logID, sys.NetMon.Get())
+	srv := ipnserver.New(logf, logID, netMon)
 	if debugMux != nil {
 		debugMux.HandleFunc("/debug/ipn", srv.ServeHTMLStatus)
 	}
@@ -438,7 +433,7 @@ func startIPNServer(ctx context.Context, logf logger.Logf, logID logid.PublicID,
 				return
 			}
 		}
-		lb, err := getLocalBackend(ctx, logf, logID, sys)
+		lb, err := getLocalBackend(ctx, logf, logID, netMon)
 		if err == nil {
 			logf("got LocalBackend in %v", time.Since(t0).Round(time.Millisecond))
 			srv.SetLocalBackend(lb)
@@ -462,28 +457,31 @@ func startIPNServer(ctx context.Context, logf logger.Logf, logID logid.PublicID,
 	return nil
 }

-func getLocalBackend(ctx context.Context, logf logger.Logf, logID logid.PublicID, sys *tsd.System) (_ *ipnlocal.LocalBackend, retErr error) {
+func getLocalBackend(ctx context.Context, logf logger.Logf, logID logid.PublicID, netMon *netmon.Monitor) (_ *ipnlocal.LocalBackend, retErr error) {
 	if logPol != nil {
-		logPol.Logtail.SetNetMon(sys.NetMon.Get())
+		logPol.Logtail.SetNetMon(netMon)
 	}

 	socksListener, httpProxyListener := mustStartProxyListeners(args.socksAddr, args.httpProxyAddr)

 	dialer := &tsdial.Dialer{Logf: logf} // mutated below (before used)
-	sys.Set(dialer)
-
-	onlyNetstack, err := createEngine(logf, sys)
+	e, onlyNetstack, err := createEngine(logf, netMon, dialer)
 	if err != nil {
 		return nil, fmt.Errorf("createEngine: %w", err)
 	}
+	if _, ok := e.(wgengine.ResolvingEngine).GetResolver(); !ok {
+		panic("internal error: exit node resolver not wired up")
+	}
 	if debugMux != nil {
-		if ms, ok := sys.MagicSock.GetOK(); ok {
-			debugMux.HandleFunc("/debug/magicsock", ms.ServeHTTPDebug)
+		if ig, ok := e.(wgengine.InternalsGetter); ok {
+			if _, mc, _, ok := ig.GetInternals(); ok {
+				debugMux.HandleFunc("/debug/magicsock", mc.ServeHTTPDebug)
+			}
 		}
 		go runDebugServer(debugMux, args.debug)
 	}

-	ns, err := newNetstack(logf, sys)
+	ns, err := newNetstack(logf, dialer, e)
 	if err != nil {
 		return nil, fmt.Errorf("newNetstack: %w", err)
 	}
@@ -491,7 +489,6 @@ func getLocalBackend(ctx context.Context, logf logger.Logf, logID logid.PublicID
 	ns.ProcessSubnets = onlyNetstack || handleSubnetsInNetstack()

 	if onlyNetstack {
-		e := sys.Engine.Get()
 		dialer.UseNetstackForIP = func(ip netip.Addr) bool {
 			_, ok := e.PeerForIP(ip)
 			return ok
@@ -522,15 +519,16 @@ func getLocalBackend(ctx context.Context, logf logger.Logf, logID logid.PublicID
 		tshttpproxy.SetSelfProxy(addrs...)
 	}

+	e = wgengine.NewWatchdog(e)
+
 	opts := ipnServerOpts()

 	store, err := store.New(logf, statePathOrDefault())
 	if err != nil {
 		return nil, fmt.Errorf("store.New: %w", err)
 	}
-	sys.Set(store)

-	lb, err := ipnlocal.NewLocalBackend(logf, logID, sys, opts.LoginFlags)
+	lb, err := ipnlocal.NewLocalBackend(logf, logID, store, dialer, e, opts.LoginFlags)
 	if err != nil {
 		return nil, fmt.Errorf("ipnlocal.NewLocalBackend: %w", err)
 	}
@@ -556,21 +554,21 @@ func getLocalBackend(ctx context.Context, logf logger.Logf, logID logid.PublicID
 //
 // onlyNetstack is true if the user has explicitly requested that we use netstack
 // for all networking.
-func createEngine(logf logger.Logf, sys *tsd.System) (onlyNetstack bool, err error) {
+func createEngine(logf logger.Logf, netMon *netmon.Monitor, dialer *tsdial.Dialer) (e wgengine.Engine, onlyNetstack bool, err error) {
 	if args.tunname == "" {
-		return false, errors.New("no --tun value specified")
+		return nil, false, errors.New("no --tun value specified")
 	}
 	var errs []error
 	for _, name := range strings.Split(args.tunname, ",") {
 		logf("wgengine.NewUserspaceEngine(tun %q) ...", name)
-		onlyNetstack, err = tryEngine(logf, sys, name)
+		e, onlyNetstack, err = tryEngine(logf, netMon, dialer, name)
 		if err == nil {
-			return onlyNetstack, nil
+			return e, onlyNetstack, nil
 		}
 		logf("wgengine.NewUserspaceEngine(tun %q) error: %v", name, err)
 		errs = append(errs, err)
 	}
-	return false, multierr.New(errs...)
+	return nil, false, multierr.New(errs...)
 }

 // handleSubnetsInNetstack reports whether netstack should handle subnet routers
@@ -595,23 +593,21 @@ func handleSubnetsInNetstack() bool {

 var tstunNew = tstun.New

-func tryEngine(logf logger.Logf, sys *tsd.System, name string) (onlyNetstack bool, err error) {
+func tryEngine(logf logger.Logf, netMon *netmon.Monitor, dialer *tsdial.Dialer, name string) (e wgengine.Engine, onlyNetstack bool, err error) {
 	conf := wgengine.Config{
-		ListenPort:   args.port,
-		NetMon:       sys.NetMon.Get(),
-		Dialer:       sys.Dialer.Get(),
-		SetSubsystem: sys.Set,
+		ListenPort: args.port,
+		NetMon:     netMon,
+		Dialer:     dialer,
 	}

 	onlyNetstack = name == "userspace-networking"
-	netstackSubnetRouter := onlyNetstack // but mutated later on some platforms
 	netns.SetEnabled(!onlyNetstack)

 	if args.birdSocketPath != "" && createBIRDClient != nil {
 		log.Printf("Connecting to BIRD at %s ...", args.birdSocketPath)
 		conf.BIRDClient, err = createBIRDClient(args.birdSocketPath)
 		if err != nil {
-			return false, fmt.Errorf("createBIRDClient: %w", err)
+			return nil, false, fmt.Errorf("createBIRDClient: %w", err)
 		}
 	}
 	if onlyNetstack {
@@ -624,55 +620,44 @@ func tryEngine(logf logger.Logf, sys *tsd.System, name string) (onlyNetstack boo
 			// TODO(bradfitz): add a Synology-specific DNS manager.
 			conf.DNS, err = dns.NewOSConfigurator(logf, "") // empty interface name
 			if err != nil {
-				return false, fmt.Errorf("dns.NewOSConfigurator: %w", err)
+				return nil, false, fmt.Errorf("dns.NewOSConfigurator: %w", err)
 			}
 		}
 	} else {
 		dev, devName, err := tstunNew(logf, name)
 		if err != nil {
 			tstun.Diagnose(logf, name, err)
-			return false, fmt.Errorf("tstun.New(%q): %w", name, err)
+			return nil, false, fmt.Errorf("tstun.New(%q): %w", name, err)
 		}
 		conf.Tun = dev
 		if strings.HasPrefix(name, "tap:") {
 			conf.IsTAP = true
 			e, err := wgengine.NewUserspaceEngine(logf, conf)
-			if err != nil {
-				return false, err
-			}
-			sys.Set(e)
-			return false, err
+			return e, false, err
 		}

-		r, err := router.New(logf, dev, sys.NetMon.Get())
+		r, err := router.New(logf, dev, netMon)
 		if err != nil {
 			dev.Close()
-			return false, fmt.Errorf("creating router: %w", err)
+			return nil, false, fmt.Errorf("creating router: %w", err)
 		}
-
 		d, err := dns.NewOSConfigurator(logf, devName)
 		if err != nil {
 			dev.Close()
 			r.Close()
-			return false, fmt.Errorf("dns.NewOSConfigurator: %w", err)
+			return nil, false, fmt.Errorf("dns.NewOSConfigurator: %w", err)
 		}
 		conf.DNS = d
 		conf.Router = r
 		if handleSubnetsInNetstack() {
 			conf.Router = netstack.NewSubnetRouterWrapper(conf.Router)
-			netstackSubnetRouter = true
 		}
-		sys.Set(conf.Router)
 	}
-	e, err := wgengine.NewUserspaceEngine(logf, conf)
+	e, err = wgengine.NewUserspaceEngine(logf, conf)
 	if err != nil {
-		return onlyNetstack, err
+		return nil, onlyNetstack, err
 	}
-	e = wgengine.NewWatchdog(e)
-	sys.Set(e)
-	sys.NetstackRouter.Set(netstackSubnetRouter)
-
-	return onlyNetstack, nil
+	return e, onlyNetstack, nil
 }

 func newDebugMux() *http.ServeMux {
@@ -702,8 +687,12 @@ func runDebugServer(mux *http.ServeMux, addr string) {
 	}
 }

-func newNetstack(logf logger.Logf, sys *tsd.System) (*netstack.Impl, error) {
-	return netstack.Create(logf, sys.Tun.Get(), sys.Engine.Get(), sys.MagicSock.Get(), sys.Dialer.Get(), sys.DNSManager.Get())
+func newNetstack(logf logger.Logf, dialer *tsdial.Dialer, e wgengine.Engine) (*netstack.Impl, error) {
+	tunDev, magicConn, dns, ok := e.(wgengine.InternalsGetter).GetInternals()
+	if !ok {
+		return nil, fmt.Errorf("%T is not a wgengine.InternalsGetter", e)
+	}
+	return netstack.Create(logf, tunDev, e, magicConn, dialer, dns)
 }

 // mustStartProxyListeners creates listeners for local SOCKS and HTTP
--- a/cmd/tailscaled/tailscaled_test.go
+++ b/cmd/tailscaled/tailscaled_test.go
@@ -3,32 +3,10 @@

 package main // import "tailscale.com/cmd/tailscaled"

-import (
-	"testing"
-
-	"tailscale.com/tstest/deptest"
-)
+import "testing"

 func TestNothing(t *testing.T) {
 	// This test does nothing on purpose, so we can run
 	// GODEBUG=memprofilerate=1 go test -v -run=Nothing -memprofile=prof.mem
 	// without any errors about no matching tests.
 }
-
-func TestDeps(t *testing.T) {
-	deptest.DepChecker{
-		GOOS:   "darwin",
-		GOARCH: "arm64",
-		BadDeps: map[string]string{
-			"gvisor.dev/gvisor/pkg/hostarch": "will crash on non-4K page sizes; see https://github.com/tailscale/tailscale/issues/8658",
-		},
-	}.Check(t)
-
-	deptest.DepChecker{
-		GOOS:   "linux",
-		GOARCH: "arm64",
-		BadDeps: map[string]string{
-			"gvisor.dev/gvisor/pkg/hostarch": "will crash on non-4K page sizes; see https://github.com/tailscale/tailscale/issues/8658",
-		},
-	}.Check(t)
-}
--- a/cmd/tailscaled/tailscaled_windows.go
+++ b/cmd/tailscaled/tailscaled_windows.go
@@ -47,7 +47,6 @@ import (
 	"tailscale.com/net/dns"
 	"tailscale.com/net/netmon"
 	"tailscale.com/net/tstun"
-	"tailscale.com/tsd"
 	"tailscale.com/types/logger"
 	"tailscale.com/types/logid"
 	"tailscale.com/util/winutil"
@@ -126,10 +125,6 @@ var syslogf logger.Logf = logger.Discard
 // At this point we're still the parent process that
 // Windows started.
 func runWindowsService(pol *logpolicy.Policy) error {
-	go func() {
-		winutil.LogSupportInfo(log.Printf)
-	}()
-
 	if winutil.GetPolicyInteger("LogSCMInteractions", 0) != 0 {
 		syslog, err := eventlog.Open(serviceName)
 		if err == nil {
@@ -297,15 +292,13 @@ func beWindowsSubprocess() bool {
 		}
 	}()

-	sys := new(tsd.System)
 	netMon, err := netmon.New(log.Printf)
 	if err != nil {
-		log.Fatalf("Could not create netMon: %v", err)
+		log.Printf("Could not create netMon: %v", err)
+		netMon = nil
 	}
-	sys.Set(netMon)
-
 	publicLogID, _ := logid.ParsePublicID(logID)
-	err = startIPNServer(ctx, log.Printf, publicLogID, sys)
+	err = startIPNServer(ctx, log.Printf, publicLogID, netMon)
 	if err != nil {
 		log.Fatalf("ipnserver: %v", err)
 	}
--- a/cmd/testwrapper/flakytest/flakytest.go
+++ b/cmd/testwrapper/flakytest/flakytest.go
@@ -7,20 +7,16 @@
 package flakytest

 import (
-	"fmt"
 	"os"
 	"regexp"
 	"testing"
 )

-// FlakyTestLogMessage is a sentinel value that is printed to stderr when a
-// flaky test is marked. This is used by cmd/testwrapper to detect flaky tests
-// and retry them.
-const FlakyTestLogMessage = "flakytest: this is a known flaky test"
-
-// FlakeAttemptEnv is an environment variable that is set by cmd/testwrapper
-// when a flaky test is retried. It contains the attempt number, starting at 1.
-const FlakeAttemptEnv = "TS_TESTWRAPPER_ATTEMPT"
+// InTestWrapper returns whether or not this binary is running under our test
+// wrapper.
+func InTestWrapper() bool {
+	return os.Getenv("TS_IN_TESTWRAPPER") != ""
+}

 var issueRegexp = regexp.MustCompile(`\Ahttps://github\.com/tailscale/[a-zA-Z0-9_.-]+/issues/\d+\z`)

@@ -34,6 +30,16 @@ func Mark(t testing.TB, issue string) {
 		t.Fatalf("bad issue format: %q", issue)
 	}

-	fmt.Fprintln(os.Stderr, FlakyTestLogMessage) // sentinel value for testwrapper
-	t.Logf("flakytest: issue tracking this flaky test: %s", issue)
+	if !InTestWrapper() {
+		return
+	}
+
+	t.Cleanup(func() {
+		if t.Failed() {
+			t.Logf("flakytest: signaling test wrapper to retry test")
+
+			// Signal to test wrapper that we should restart.
+			os.Exit(123)
+		}
+	})
 }
--- a/cmd/testwrapper/flakytest/flakytest_test.go
+++ b/cmd/testwrapper/flakytest/flakytest_test.go
@@ -3,10 +3,7 @@

 package flakytest

-import (
-	"os"
-	"testing"
-)
+import "testing"

 func TestIssueFormat(t *testing.T) {
 	testCases := []struct {
@@ -27,17 +24,3 @@ func TestIssueFormat(t *testing.T) {
 		}
 	}
 }
-
-// TestFlakeRun is a test that fails when run in the testwrapper
-// for the first time, but succeeds on the second run.
-// It's used to test whether the testwrapper retries flaky tests.
-func TestFlakeRun(t *testing.T) {
-	Mark(t, "https://github.com/tailscale/tailscale/issues/0") // random issue
-	e := os.Getenv(FlakeAttemptEnv)
-	if e == "" {
-		t.Skip("not running in testwrapper")
-	}
-	if e == "1" {
-		t.Fatal("First run in testwrapper, failing so that test is retried. This is expected.")
-	}
-}
--- a/cmd/testwrapper/testwrapper.go
+++ b/cmd/testwrapper/testwrapper.go
@@ -1,288 +1,62 @@
 // Copyright (c) Tailscale Inc & AUTHORS
 // SPDX-License-Identifier: BSD-3-Clause

-// testwrapper is a wrapper for retrying flaky tests. It is an alternative to
-// `go test` and re-runs failed marked flaky tests (using the flakytest pkg). It
-// takes different arguments than go test and requires the first positional
-// argument to be the pattern to test.
+// testwrapper is a wrapper for retrying flaky tests, using the -exec flag of
+// 'go test'. Tests that are flaky can use the 'flakytest' subpackage to mark
+// themselves as flaky and be retried on failure.
 package main

 import (
-	"bytes"
 	"context"
-	"encoding/json"
 	"errors"
-	"flag"
-	"fmt"
-	"io"
 	"log"
 	"os"
 	"os/exec"
-	"sort"
-	"strings"
-	"time"
-
-	"golang.org/x/exp/maps"
-	"tailscale.com/cmd/testwrapper/flakytest"
 )

-const maxAttempts = 3
-
-type testAttempt struct {
-	name          testName
-	outcome       string // "pass", "fail", "skip"
-	logs          bytes.Buffer
-	isMarkedFlaky bool // set if the test is marked as flaky
-
-	pkgFinished bool
-}
-
-type testName struct {
-	pkg  string // "tailscale.com/types/key"
-	name string // "TestFoo"
-}
-
-type packageTests struct {
-	// pattern is the package pattern to run.
-	// Must be a single pattern, not a list of patterns.
-	pattern string // "./...", "./types/key"
-	// tests is a list of tests to run. If empty, all tests in the package are
-	// run.
-	tests []string // ["TestFoo", "TestBar"]
-}
-
-type goTestOutput struct {
-	Time    time.Time
-	Action  string
-	Package string
-	Test    string
-	Output  string
-}
-
-var debug = os.Getenv("TS_TESTWRAPPER_DEBUG") != ""
-
-// runTests runs the tests in pt and sends the results on ch. It sends a
-// testAttempt for each test and a final testAttempt per pkg with pkgFinished
-// set to true.
-// It calls close(ch) when it's done.
-func runTests(ctx context.Context, attempt int, pt *packageTests, otherArgs []string, ch chan<- *testAttempt) {
-	defer close(ch)
-	args := []string{"test", "-json", pt.pattern}
-	args = append(args, otherArgs...)
-	if len(pt.tests) > 0 {
-		runArg := strings.Join(pt.tests, "|")
-		args = append(args, "-run", runArg)
-	}
-	if debug {
-		fmt.Println("running", strings.Join(args, " "))
-	}
-	cmd := exec.CommandContext(ctx, "go", args...)
-	r, err := cmd.StdoutPipe()
-	if err != nil {
-		log.Printf("error creating stdout pipe: %v", err)
-	}
-	defer r.Close()
-	cmd.Stderr = os.Stderr
-
-	cmd.Env = os.Environ()
-	cmd.Env = append(cmd.Env, fmt.Sprintf("%s=%d", flakytest.FlakeAttemptEnv, attempt))
-
-	if err := cmd.Start(); err != nil {
-		log.Printf("error starting test: %v", err)
-		os.Exit(1)
-	}
-	done := make(chan struct{})
-	go func() {
-		defer close(done)
-		cmd.Wait()
-	}()
-
-	jd := json.NewDecoder(r)
-	resultMap := make(map[testName]*testAttempt)
-	for {
-		var goOutput goTestOutput
-		if err := jd.Decode(&goOutput); err != nil {
-			if errors.Is(err, io.EOF) || errors.Is(err, os.ErrClosed) {
-				break
-			}
-
-			// `go test -json` outputs invalid JSON when a build fails.
-			// In that case, discard the the output and start reading again.
-			// The build error will be printed to stderr.
-			// See: https://github.com/golang/go/issues/35169
-			if _, ok := err.(*json.SyntaxError); ok {
-				jd = json.NewDecoder(r)
-				continue
-			}
-			panic(err)
-		}
-		if goOutput.Test == "" {
-			switch goOutput.Action {
-			case "fail", "pass", "skip":
-				ch <- &testAttempt{
-					name: testName{
-						pkg: goOutput.Package,
-					},
-					outcome:     goOutput.Action,
-					pkgFinished: true,
-				}
-			}
-			continue
-		}
-		name := testName{
-			pkg:  goOutput.Package,
-			name: goOutput.Test,
-		}
-		if test, _, isSubtest := strings.Cut(goOutput.Test, "/"); isSubtest {
-			name.name = test
-			if goOutput.Action == "output" {
-				resultMap[name].logs.WriteString(goOutput.Output)
-			}
-			continue
-		}
-		switch goOutput.Action {
-		case "start":
-			// ignore
-		case "run":
-			resultMap[name] = &testAttempt{
-				name: name,
-			}
-		case "skip", "pass", "fail":
-			resultMap[name].outcome = goOutput.Action
-			ch <- resultMap[name]
-		case "output":
-			if strings.TrimSpace(goOutput.Output) == flakytest.FlakyTestLogMessage {
-				resultMap[name].isMarkedFlaky = true
-			} else {
-				resultMap[name].logs.WriteString(goOutput.Output)
-			}
-		}
-	}
-	<-done
-}
+const (
+	retryStatus   = 123
+	maxIterations = 3
+)

 func main() {
 	ctx := context.Background()
+	debug := os.Getenv("TS_TESTWRAPPER_DEBUG") != ""

-	// We only need to parse the -v flag to figure out whether to print the logs
-	// for a test. We don't need to parse any other flags, so we just use the
-	// flag package to parse the -v flag and then pass the rest of the args
-	// through to 'go test'.
-	// We run `go test -json` which returns the same information as `go test -v`,
-	// but in a machine-readable format. So this flag is only for testwrapper's
-	// output.
-	v := flag.Bool("v", false, "verbose")
-
-	flag.Usage = func() {
-		fmt.Println("usage: testwrapper [testwrapper-flags] [pattern] [build/test flags & test binary flags]")
-		fmt.Println()
-		fmt.Println("testwrapper-flags:")
-		flag.CommandLine.PrintDefaults()
-		fmt.Println()
-		fmt.Println("examples:")
-		fmt.Println("\ttestwrapper -v ./... -count=1")
-		fmt.Println("\ttestwrapper ./pkg/foo -run TestBar -count=1")
-		fmt.Println()
-		fmt.Println("Unlike 'go test', testwrapper requires a package pattern as the first positional argument and only supports a single pattern.")
-	}
-	flag.Parse()
-
-	args := flag.Args()
-	if len(args) < 1 || strings.HasPrefix(args[0], "-") {
-		fmt.Println("no pattern specified")
-		flag.Usage()
-		os.Exit(1)
-	} else if len(args) > 1 && !strings.HasPrefix(args[1], "-") {
-		fmt.Println("expected single pattern")
-		flag.Usage()
-		os.Exit(1)
-	}
-	pattern, otherArgs := args[0], args[1:]
-
-	type nextRun struct {
-		tests   []*packageTests
-		attempt int
+	log.SetPrefix("testwrapper: ")
+	if !debug {
+		log.SetFlags(0)
 	}

-	toRun := []*nextRun{
-		{
-			tests:   []*packageTests{{pattern: pattern}},
-			attempt: 1,
-		},
-	}
-	printPkgOutcome := func(pkg, outcome string, attempt int) {
-		if outcome == "skip" {
-			fmt.Printf("?\t%s [skipped/no tests] \n", pkg)
+	for i := 1; i <= maxIterations; i++ {
+		if i > 1 {
+			log.Printf("retrying flaky tests (%d of %d)", i, maxIterations)
+		}
+		cmd := exec.CommandContext(ctx, os.Args[1], os.Args[2:]...)
+		cmd.Stdout = os.Stdout
+		cmd.Stderr = os.Stderr
+		cmd.Env = append(os.Environ(), "TS_IN_TESTWRAPPER=1")
+		err := cmd.Run()
+		if err == nil {
 			return
 		}
-		if outcome == "pass" {
-			outcome = "ok"
-		}
-		if outcome == "fail" {
-			outcome = "FAIL"
-		}
-		if attempt > 1 {
-			fmt.Printf("%s\t%s [attempt=%d]\n", outcome, pkg, attempt)
-			return
-		}
-		fmt.Printf("%s\t%s\n", outcome, pkg)
-	}

-	for len(toRun) > 0 {
-		var thisRun *nextRun
-		thisRun, toRun = toRun[0], toRun[1:]
-
-		if thisRun.attempt >= maxAttempts {
-			fmt.Println("max attempts reached")
-			os.Exit(1)
-		}
-		if thisRun.attempt > 1 {
-			fmt.Printf("\n\nAttempt #%d: Retrying flaky tests:\n\n", thisRun.attempt)
-		}
-
-		failed := false
-		toRetry := make(map[string][]string) // pkg -> tests to retry
-		for _, pt := range thisRun.tests {
-			ch := make(chan *testAttempt)
-			go runTests(ctx, thisRun.attempt, pt, otherArgs, ch)
-			for tr := range ch {
-				if tr.pkgFinished {
-					printPkgOutcome(tr.name.pkg, tr.outcome, thisRun.attempt)
-					continue
-				}
-				if *v || tr.outcome == "fail" {
-					io.Copy(os.Stdout, &tr.logs)
-				}
-				if tr.outcome != "fail" {
-					continue
-				}
-				if tr.isMarkedFlaky {
-					toRetry[tr.name.pkg] = append(toRetry[tr.name.pkg], tr.name.name)
-				} else {
-					failed = true
-				}
+		var exitErr *exec.ExitError
+		if !errors.As(err, &exitErr) {
+			if debug {
+				log.Printf("error isn't an ExitError")
 			}
-		}
-		if failed {
-			fmt.Println("\n\nNot retrying flaky tests because non-flaky tests failed.")
 			os.Exit(1)
 		}
-		if len(toRetry) == 0 {
-			continue
+
+		if code := exitErr.ExitCode(); code != retryStatus {
+			if debug {
+				log.Printf("code (%d) != retryStatus (%d)", code, retryStatus)
+			}
+			os.Exit(code)
 		}
-		pkgs := maps.Keys(toRetry)
-		sort.Strings(pkgs)
-		nextRun := &nextRun{
-			attempt: thisRun.attempt + 1,
-		}
-		for _, pkg := range pkgs {
-			tests := toRetry[pkg]
-			sort.Strings(tests)
-			nextRun.tests = append(nextRun.tests, &packageTests{
-				pattern: pkg,
-				tests:   tests,
-			})
-		}
-		toRun = append(toRun, nextRun)
 	}
+
+	log.Printf("test did not pass in %d iterations", maxIterations)
+	os.Exit(1)
 }
--- a/cmd/tsconnect/wasm/wasm_js.go
+++ b/cmd/tsconnect/wasm/wasm_js.go
@@ -37,7 +37,6 @@ import (
 	"tailscale.com/safesocket"
 	"tailscale.com/smallzstd"
 	"tailscale.com/tailcfg"
-	"tailscale.com/tsd"
 	"tailscale.com/wgengine"
 	"tailscale.com/wgengine/netstack"
 	"tailscale.com/words"
@@ -97,19 +96,19 @@ func newIPN(jsConfig js.Value) map[string]any {
 	logtail := logtail.NewLogger(c, log.Printf)
 	logf := logtail.Logf

-	sys := new(tsd.System)
-	sys.Set(store)
 	dialer := &tsdial.Dialer{Logf: logf}
 	eng, err := wgengine.NewUserspaceEngine(logf, wgengine.Config{
-		Dialer:       dialer,
-		SetSubsystem: sys.Set,
+		Dialer: dialer,
 	})
 	if err != nil {
 		log.Fatal(err)
 	}
-	sys.Set(eng)

-	ns, err := netstack.Create(logf, sys.Tun.Get(), eng, sys.MagicSock.Get(), dialer, sys.DNSManager.Get())
+	tunDev, magicConn, dnsManager, ok := eng.(wgengine.InternalsGetter).GetInternals()
+	if !ok {
+		log.Fatalf("%T is not a wgengine.InternalsGetter", eng)
+	}
+	ns, err := netstack.Create(logf, tunDev, eng, magicConn, dialer, dnsManager)
 	if err != nil {
 		log.Fatalf("netstack.Create: %v", err)
 	}
@@ -122,11 +121,10 @@ func newIPN(jsConfig js.Value) map[string]any {
 	dialer.NetstackDialTCP = func(ctx context.Context, dst netip.AddrPort) (net.Conn, error) {
 		return ns.DialContextTCP(ctx, dst)
 	}
-	sys.NetstackRouter.Set(true)

 	logid := lpc.PublicID
 	srv := ipnserver.New(logf, logid, nil /* no netMon */)
-	lb, err := ipnlocal.NewLocalBackend(logf, logid, sys, controlclient.LoginEphemeral)
+	lb, err := ipnlocal.NewLocalBackend(logf, logid, store, dialer, eng, controlclient.LoginEphemeral)
 	if err != nil {
 		log.Fatalf("ipnlocal.NewLocalBackend: %v", err)
 	}
--- a/cmd/viewer/tests/tests.go
+++ b/cmd/viewer/tests/tests.go
@@ -9,7 +9,7 @@ import (
 	"net/netip"
 )

-//go:generate go run tailscale.com/cmd/viewer --type=StructWithPtrs,StructWithoutPtrs,Map,StructWithSlices,OnlyGetClone,StructWithEmbedded --clone-only-type=OnlyGetClone
+//go:generate go run tailscale.com/cmd/viewer --type=StructWithPtrs,StructWithoutPtrs,Map,StructWithSlices,OnlyGetClone --clone-only-type=OnlyGetClone

 type StructWithoutPtrs struct {
 	Int int
@@ -61,8 +61,3 @@ type StructWithSlices struct {
 type OnlyGetClone struct {
 	SinViewerPorFavor bool
 }
-
-type StructWithEmbedded struct {
-	A *StructWithPtrs
-	StructWithSlices
-}
--- a/cmd/viewer/tests/tests_clone.go
+++ b/cmd/viewer/tests/tests_clone.go
@@ -211,22 +211,3 @@ func (src *OnlyGetClone) Clone() *OnlyGetClone {
 var _OnlyGetCloneCloneNeedsRegeneration = OnlyGetClone(struct {
 	SinViewerPorFavor bool
 }{})
-
-// Clone makes a deep copy of StructWithEmbedded.
-// The result aliases no memory with the original.
-func (src *StructWithEmbedded) Clone() *StructWithEmbedded {
-	if src == nil {
-		return nil
-	}
-	dst := new(StructWithEmbedded)
-	*dst = *src
-	dst.A = src.A.Clone()
-	dst.StructWithSlices = *src.StructWithSlices.Clone()
-	return dst
-}
-
-// A compilation failure here means this code must be regenerated, with the command at the top of this file.
-var _StructWithEmbeddedCloneNeedsRegeneration = StructWithEmbedded(struct {
-	A *StructWithPtrs
-	StructWithSlices
-}{})
--- a/cmd/viewer/tests/tests_view.go
+++ b/cmd/viewer/tests/tests_view.go
@@ -14,7 +14,7 @@ import (
 	"tailscale.com/types/views"
 )

-//go:generate go run tailscale.com/cmd/cloner  -clonefunc=false -type=StructWithPtrs,StructWithoutPtrs,Map,StructWithSlices,OnlyGetClone,StructWithEmbedded
+//go:generate go run tailscale.com/cmd/cloner  -clonefunc=false -type=StructWithPtrs,StructWithoutPtrs,Map,StructWithSlices,OnlyGetClone

 // View returns a readonly view of StructWithPtrs.
 func (p *StructWithPtrs) View() StructWithPtrsView {
@@ -325,59 +325,3 @@ var _StructWithSlicesViewNeedsRegeneration = StructWithSlices(struct {
 	Prefixes       []netip.Prefix
 	Data           []byte
 }{})
-
-// View returns a readonly view of StructWithEmbedded.
-func (p *StructWithEmbedded) View() StructWithEmbeddedView {
-	return StructWithEmbeddedView{ж: p}
-}
-
-// StructWithEmbeddedView provides a read-only view over StructWithEmbedded.
-//
-// Its methods should only be called if `Valid()` returns true.
-type StructWithEmbeddedView struct {
-	// ж is the underlying mutable value, named with a hard-to-type
-	// character that looks pointy like a pointer.
-	// It is named distinctively to make you think of how dangerous it is to escape
-	// to callers. You must not let callers be able to mutate it.
-	ж *StructWithEmbedded
-}
-
-// Valid reports whether underlying value is non-nil.
-func (v StructWithEmbeddedView) Valid() bool { return v.ж != nil }
-
-// AsStruct returns a clone of the underlying value which aliases no memory with
-// the original.
-func (v StructWithEmbeddedView) AsStruct() *StructWithEmbedded {
-	if v.ж == nil {
-		return nil
-	}
-	return v.ж.Clone()
-}
-
-func (v StructWithEmbeddedView) MarshalJSON() ([]byte, error) { return json.Marshal(v.ж) }
-
-func (v *StructWithEmbeddedView) UnmarshalJSON(b []byte) error {
-	if v.ж != nil {
-		return errors.New("already initialized")
-	}
-	if len(b) == 0 {
-		return nil
-	}
-	var x StructWithEmbedded
-	if err := json.Unmarshal(b, &x); err != nil {
-		return err
-	}
-	v.ж = &x
-	return nil
-}
-
-func (v StructWithEmbeddedView) A() StructWithPtrsView { return v.ж.A.View() }
-func (v StructWithEmbeddedView) StructWithSlices() StructWithSlicesView {
-	return v.ж.StructWithSlices.View()
-}
-
-// A compilation failure here means this code must be regenerated, with the command at the top of this file.
-var _StructWithEmbeddedViewNeedsRegeneration = StructWithEmbedded(struct {
-	A *StructWithPtrs
-	StructWithSlices
-}{})
--- a/control/controlclient/auto.go
+++ b/control/controlclient/auto.go
@@ -551,8 +551,6 @@ func (c *Auto) mapRoutine() {
 				if stillAuthed {
 					c.sendStatus("mapRoutine-got-netmap", nil, "", nm)
 				}
-				// Reset the backoff timer if we got a netmap.
-				bo.BackOff(ctx, nil)
 			})

 			health.SetInPollNetMap(false)
--- a/control/controlclient/debug.go
+++ b/control/controlclient/debug.go
@@ -20,7 +20,7 @@ func dumpGoroutinesToURL(c *http.Client, targetURL string) {

 	zbuf := new(bytes.Buffer)
 	zw := gzip.NewWriter(zbuf)
-	zw.Write(goroutines.ScrubbedGoroutineDump(true))
+	zw.Write(goroutines.ScrubbedGoroutineDump())
 	zw.Close()

 	req, err := http.NewRequestWithContext(ctx, "PUT", targetURL, zbuf)
--- a/control/controlclient/direct.go
+++ b/control/controlclient/direct.go
@@ -170,7 +170,7 @@ type ControlDialPlanner interface {
 // Pinger is the LocalBackend.Ping method.
 type Pinger interface {
 	// Ping is a request to do a ping with the peer handling the given IP.
-	Ping(ctx context.Context, ip netip.Addr, pingType tailcfg.PingType, size int) (*ipnstate.PingResult, error)
+	Ping(ctx context.Context, ip netip.Addr, pingType tailcfg.PingType) (*ipnstate.PingResult, error)
 }

 type Decompressor interface {
@@ -770,8 +770,6 @@ func (c *Direct) SetEndpoints(endpoints []tailcfg.Endpoint) (changed bool) {

 // PollNetMap makes a /map request to download the network map, calling cb with
 // each new netmap.
-// It always returns a non-nil error describing the reason for the failure
-// or why the request ended.
 func (c *Direct) PollNetMap(ctx context.Context, cb func(*netmap.NetworkMap)) error {
 	return c.sendMapRequest(ctx, -1, false, cb)
 }
@@ -800,12 +798,7 @@ func (c *Direct) SendLiteMapUpdate(ctx context.Context) error {
 // every minute.
 const pollTimeout = 120 * time.Second

-// sendMapRequest makes a /map request to download the network map, calling cb with
-// each new netmap. If maxPolls is -1, it will poll forever and only returns if
-// the context expires or the server returns an error/closes the connection and as
-// such always returns a non-nil error.
-//
-// If cb is nil, OmitPeers will be set to true.
+// cb nil means to omit peers.
 func (c *Direct) sendMapRequest(ctx context.Context, maxPolls int, readOnly bool, cb func(*netmap.NetworkMap)) error {
 	metricMapRequests.Add(1)
 	metricMapRequestsActive.Add(1)
@@ -1670,7 +1663,7 @@ func doPingerPing(logf logger.Logf, c *http.Client, pr *tailcfg.PingRequest, pin
 	ctx, cancel := context.WithTimeout(context.Background(), 10*time.Second)
 	defer cancel()

-	res, err := pinger.Ping(ctx, pr.IP, pingType, 0)
+	res, err := pinger.Ping(ctx, pr.IP, pingType)
 	if err != nil {
 		d := time.Since(start).Round(time.Millisecond)
 		logf("doPingerPing: ping error of type %q to %v after %v: %v", pingType, pr.IP, d, err)
--- a/control/controlclient/map.go
+++ b/control/controlclient/map.go
@@ -90,28 +90,9 @@ func (ms *mapSession) netmapForResponse(resp *tailcfg.MapResponse) *netmap.Netwo
 		ms.lastUserProfile[up.ID] = up
 	}

-	if dm := resp.DERPMap; dm != nil {
+	if resp.DERPMap != nil {
 		ms.vlogf("netmap: new map contains DERP map")
-
-		// Zero-valued fields in a DERPMap mean that we're not changing
-		// anything and are using the previous value(s).
-		if ldm := ms.lastDERPMap; ldm != nil {
-			if dm.Regions == nil {
-				dm.Regions = ldm.Regions
-				dm.OmitDefaultRegions = ldm.OmitDefaultRegions
-			}
-			if dm.HomeParams == nil {
-				dm.HomeParams = ldm.HomeParams
-			} else if oldhh := ldm.HomeParams; oldhh != nil {
-				// Propagate sub-fields of HomeParams
-				hh := dm.HomeParams
-				if hh.RegionScore == nil {
-					hh.RegionScore = oldhh.RegionScore
-				}
-			}
-		}
-
-		ms.lastDERPMap = dm
+		ms.lastDERPMap = resp.DERPMap
 	}

 	if pf := resp.PacketFilter; pf != nil {
--- a/control/controlclient/map_test.go
+++ b/control/controlclient/map_test.go
@@ -619,108 +619,3 @@ func TestCopyDebugOptBools(t *testing.T) {
 		}
 	}
 }
-
-func TestDeltaDERPMap(t *testing.T) {
-	regions1 := map[int]*tailcfg.DERPRegion{
-		1: {
-			RegionID: 1,
-			Nodes: []*tailcfg.DERPNode{{
-				Name:     "derp1a",
-				RegionID: 1,
-				HostName: "derp1a" + tailcfg.DotInvalid,
-				IPv4:     "169.254.169.254",
-				IPv6:     "none",
-			}},
-		},
-	}
-
-	// As above, but with a changed IPv4 addr
-	regions2 := map[int]*tailcfg.DERPRegion{1: regions1[1].Clone()}
-	regions2[1].Nodes[0].IPv4 = "127.0.0.1"
-
-	type step struct {
-		got  *tailcfg.DERPMap
-		want *tailcfg.DERPMap
-	}
-	tests := []struct {
-		name  string
-		steps []step
-	}{
-		{
-			name: "nothing-to-nothing",
-			steps: []step{
-				{nil, nil},
-				{nil, nil},
-			},
-		},
-		{
-			name: "regions-sticky",
-			steps: []step{
-				{&tailcfg.DERPMap{Regions: regions1}, &tailcfg.DERPMap{Regions: regions1}},
-				{&tailcfg.DERPMap{}, &tailcfg.DERPMap{Regions: regions1}},
-			},
-		},
-		{
-			name: "regions-change",
-			steps: []step{
-				{&tailcfg.DERPMap{Regions: regions1}, &tailcfg.DERPMap{Regions: regions1}},
-				{&tailcfg.DERPMap{Regions: regions2}, &tailcfg.DERPMap{Regions: regions2}},
-			},
-		},
-		{
-			name: "home-params",
-			steps: []step{
-				// Send a DERP map
-				{&tailcfg.DERPMap{Regions: regions1}, &tailcfg.DERPMap{Regions: regions1}},
-				// Send home params, want to still have the same regions
-				{
-					&tailcfg.DERPMap{HomeParams: &tailcfg.DERPHomeParams{
-						RegionScore: map[int]float64{1: 0.5},
-					}},
-					&tailcfg.DERPMap{Regions: regions1, HomeParams: &tailcfg.DERPHomeParams{
-						RegionScore: map[int]float64{1: 0.5},
-					}},
-				},
-			},
-		},
-		{
-			name: "home-params-sub-fields",
-			steps: []step{
-				// Send a DERP map with home params
-				{
-					&tailcfg.DERPMap{Regions: regions1, HomeParams: &tailcfg.DERPHomeParams{
-						RegionScore: map[int]float64{1: 0.5},
-					}},
-					&tailcfg.DERPMap{Regions: regions1, HomeParams: &tailcfg.DERPHomeParams{
-						RegionScore: map[int]float64{1: 0.5},
-					}},
-				},
-				// Sending a struct with a 'HomeParams' field but nil RegionScore doesn't change home params...
-				{
-					&tailcfg.DERPMap{HomeParams: &tailcfg.DERPHomeParams{RegionScore: nil}},
-					&tailcfg.DERPMap{Regions: regions1, HomeParams: &tailcfg.DERPHomeParams{
-						RegionScore: map[int]float64{1: 0.5},
-					}},
-				},
-				// ... but sending one with a non-nil and empty RegionScore field zeroes that out.
-				{
-					&tailcfg.DERPMap{HomeParams: &tailcfg.DERPHomeParams{RegionScore: map[int]float64{}}},
-					&tailcfg.DERPMap{Regions: regions1, HomeParams: &tailcfg.DERPHomeParams{
-						RegionScore: map[int]float64{},
-					}},
-				},
-			},
-		},
-	}
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			ms := newTestMapSession(t)
-			for stepi, s := range tt.steps {
-				nm := ms.netmapForResponse(&tailcfg.MapResponse{DERPMap: s.got})
-				if !reflect.DeepEqual(nm.DERPMap, s.want) {
-					t.Errorf("unexpected result at step index %v; got: %s", stepi, must.Get(json.Marshal(nm.DERPMap)))
-				}
-			}
-		})
-	}
-}
--- a/control/controlclient/noise.go
+++ b/control/controlclient/noise.go
@@ -287,25 +287,6 @@ func (nc *NoiseClient) GetSingleUseRoundTripper(ctx context.Context) (http.Round
 	return nil, nil, errors.New("[unexpected] failed to reserve a request on a connection")
 }

-// contextErr is an error that wraps another error and is used to indicate that
-// the error was because a context expired.
-type contextErr struct {
-	err error
-}
-
-func (e contextErr) Error() string {
-	return e.err.Error()
-}
-
-func (e contextErr) Unwrap() error {
-	return e.err
-}
-
-// getConn returns a noiseConn that can be used to make requests to the
-// coordination server. It may return a cached connection or create a new one.
-// Dials are singleflighted, so concurrent calls to getConn may only dial once.
-// As such, context values may not be respected as there are no guarantees that
-// the context passed to getConn is the same as the context passed to dial.
 func (nc *NoiseClient) getConn(ctx context.Context) (*noiseConn, error) {
 	nc.mu.Lock()
 	if last := nc.last; last != nil && last.canTakeNewRequest() {
@@ -314,35 +295,11 @@ func (nc *NoiseClient) getConn(ctx context.Context) (*noiseConn, error) {
 	}
 	nc.mu.Unlock()

-	for {
-		// We singeflight the dial to avoid making multiple connections, however
-		// that means that we can't simply cancel the dial if the context is
-		// canceled. Instead, we have to additionally check that the context
-		// which was canceled is our context and retry if our context is still
-		// valid.
-		conn, err, _ := nc.sfDial.Do(struct{}{}, func() (*noiseConn, error) {
-			c, err := nc.dial(ctx)
-			if err != nil {
-				if ctx.Err() != nil {
-					return nil, contextErr{ctx.Err()}
-				}
-				return nil, err
-			}
-			return c, nil
-		})
-		var ce contextErr
-		if err == nil || !errors.As(err, &ce) {
-			return conn, err
-		}
-		if ctx.Err() == nil {
-			// The dial failed because of a context error, but our context
-			// is still valid. Retry.
-			continue
-		}
-		// The dial failed because our context was canceled. Return the
-		// underlying error.
-		return nil, ce.Unwrap()
+	conn, err, _ := nc.sfDial.Do(struct{}{}, nc.dial)
+	if err != nil {
+		return nil, err
 	}
+	return conn, nil
 }

 func (nc *NoiseClient) RoundTrip(req *http.Request) (*http.Response, error) {
@@ -387,7 +344,7 @@ func (nc *NoiseClient) Close() error {

 // dial opens a new connection to tailcontrol, fetching the server noise key
 // if not cached.
-func (nc *NoiseClient) dial(ctx context.Context) (*noiseConn, error) {
+func (nc *NoiseClient) dial() (*noiseConn, error) {
 	nc.mu.Lock()
 	connID := nc.nextID
 	nc.nextID++
@@ -435,7 +392,7 @@ func (nc *NoiseClient) dial(ctx context.Context) (*noiseConn, error) {
 	}

 	timeout := time.Duration(timeoutSec * float64(time.Second))
-	ctx, cancel := context.WithTimeout(ctx, timeout)
+	ctx, cancel := context.WithTimeout(context.Background(), timeout)
 	defer cancel()

 	clientConn, err := (&controlhttp.Dialer{
--- a/control/controlhttp/http_test.go
+++ b/control/controlhttp/http_test.go
@@ -583,20 +583,19 @@ func TestDialPlan(t *testing.T) {
 			}},
 			want: goodAddr,
 		},
-		// TODO(#8442): fix this test
-		// {
-		// 	name: "multiple-priority-fast-path",
-		// 	plan: &tailcfg.ControlDialPlan{Candidates: []tailcfg.ControlIPCandidate{
-		// 		// Dials some good IPs and our bad one (which
-		// 		// hangs forever), which then hits the fast
-		// 		// path where we bail without waiting.
-		// 		{IP: brokenAddr, Priority: 1, DialTimeoutSec: 10},
-		// 		{IP: goodAddr, Priority: 1, DialTimeoutSec: 10},
-		// 		{IP: other2Addr, Priority: 1, DialTimeoutSec: 10},
-		// 		{IP: otherAddr, Priority: 2, DialTimeoutSec: 10},
-		// 	}},
-		// 	want: otherAddr,
-		// },
+		{
+			name: "multiple-priority-fast-path",
+			plan: &tailcfg.ControlDialPlan{Candidates: []tailcfg.ControlIPCandidate{
+				// Dials some good IPs and our bad one (which
+				// hangs forever), which then hits the fast
+				// path where we bail without waiting.
+				{IP: brokenAddr, Priority: 1, DialTimeoutSec: 10},
+				{IP: goodAddr, Priority: 1, DialTimeoutSec: 10},
+				{IP: other2Addr, Priority: 1, DialTimeoutSec: 10},
+				{IP: otherAddr, Priority: 2, DialTimeoutSec: 10},
+			}},
+			want: otherAddr,
+		},
 		{
 			name: "multiple-priority-slow-path",
 			plan: &tailcfg.ControlDialPlan{Candidates: []tailcfg.ControlIPCandidate{
--- a/derp/derp_client.go
+++ b/derp/derp_client.go
@@ -17,7 +17,6 @@ import (
 	"go4.org/mem"
 	"golang.org/x/time/rate"
 	"tailscale.com/syncs"
-	"tailscale.com/tstime"
 	"tailscale.com/types/key"
 	"tailscale.com/types/logger"
 )
@@ -41,8 +40,6 @@ type Client struct {
 	// Owned by Recv:
 	peeked  int                      // bytes to discard on next Recv
 	readErr syncs.AtomicValue[error] // sticky (set by Recv)
-
-	clock tstime.Clock
 }

 // ClientOpt is an option passed to NewClient.
@@ -106,7 +103,6 @@ func newClient(privateKey key.NodePrivate, nc Conn, brw *bufio.ReadWriter, logf
 		meshKey:     opt.MeshKey,
 		canAckPings: opt.CanAckPings,
 		isProber:    opt.IsProber,
-		clock:       tstime.StdClock{},
 	}
 	if opt.ServerPub.IsZero() {
 		if err := c.recvServerKey(); err != nil {
@@ -218,7 +214,7 @@ func (c *Client) send(dstKey key.NodePublic, pkt []byte) (ret error) {
 	defer c.wmu.Unlock()
 	if c.rate != nil {
 		pktLen := frameHeaderLen + key.NodePublicRawLen + len(pkt)
-		if !c.rate.AllowN(c.clock.Now(), pktLen) {
+		if !c.rate.AllowN(time.Now(), pktLen) {
 			return nil // drop
 		}
 	}
@@ -248,7 +244,7 @@ func (c *Client) ForwardPacket(srcKey, dstKey key.NodePublic, pkt []byte) (err e
 	c.wmu.Lock()
 	defer c.wmu.Unlock()

-	timer := c.clock.AfterFunc(5*time.Second, c.writeTimeoutFired)
+	timer := time.AfterFunc(5*time.Second, c.writeTimeoutFired)
 	defer timer.Stop()

 	if err := writeFrameHeader(c.bw, frameForwardPacket, uint32(keyLen*2+len(pkt))); err != nil {
@@ -461,6 +457,7 @@ func (c *Client) recvTimeout(timeout time.Duration) (m ReceivedMessage, err erro
 			c.readErr.Store(err)
 		}
 	}()
+
 	for {
 		c.nc.SetReadDeadline(time.Now().Add(timeout))

--- a/derp/derp_server.go
+++ b/derp/derp_server.go
@@ -39,7 +39,6 @@ import (
 	"tailscale.com/envknob"
 	"tailscale.com/metrics"
 	"tailscale.com/syncs"
-	"tailscale.com/tstime"
 	"tailscale.com/tstime/rate"
 	"tailscale.com/types/key"
 	"tailscale.com/types/logger"
@@ -165,8 +164,6 @@ type Server struct {

 	// maps from netip.AddrPort to a client's public key
 	keyOfAddr map[netip.AddrPort]key.NodePublic
-
-	clock tstime.Clock
 }

 // clientSet represents 1 or more *sclients.
@@ -321,7 +318,6 @@ func NewServer(privateKey key.NodePrivate, logf logger.Logf) *Server {
 		avgQueueDuration:     new(uint64),
 		tcpRtt:               metrics.LabelMap{Label: "le"},
 		keyOfAddr:            map[netip.AddrPort]key.NodePublic{},
-		clock:                tstime.StdClock{},
 	}
 	s.initMetacert()
 	s.packetsRecvDisco = s.packetsRecvByKind.Get("disco")
@@ -471,8 +467,8 @@ func (s *Server) initMetacert() {
 			CommonName: fmt.Sprintf("derpkey%s", s.publicKey.UntypedHexString()),
 		},
 		// Windows requires NotAfter and NotBefore set:
-		NotAfter:  s.clock.Now().Add(30 * 24 * time.Hour),
-		NotBefore: s.clock.Now().Add(-30 * 24 * time.Hour),
+		NotAfter:  time.Now().Add(30 * 24 * time.Hour),
+		NotBefore: time.Now().Add(-30 * 24 * time.Hour),
 		// Per https://github.com/golang/go/issues/51759#issuecomment-1071147836,
 		// macOS requires BasicConstraints when subject == issuer:
 		BasicConstraintsValid: true,
@@ -502,7 +498,7 @@ func (s *Server) registerClient(c *sclient) {
 	switch set := set.(type) {
 	case nil:
 		s.clients[c.key] = singleClient{c}
-		c.debugLogf("register single client")
+		c.debug("register single client")
 	case singleClient:
 		s.dupClientKeys.Add(1)
 		s.dupClientConns.Add(2) // both old and new count
@@ -518,7 +514,7 @@ func (s *Server) registerClient(c *sclient) {
 			},
 			sendHistory: []*sclient{old},
 		}
-		c.debugLogf("register duplicate client")
+		c.debug("register duplicate client")
 	case *dupClientSet:
 		s.dupClientConns.Add(1)     // the gauge
 		s.dupClientConnTotal.Add(1) // the counter
@@ -526,7 +522,7 @@ func (s *Server) registerClient(c *sclient) {
 		set.set[c] = true
 		set.last = c
 		set.sendHistory = append(set.sendHistory, c)
-		c.debugLogf("register another duplicate client")
+		c.debug("register another duplicate client")
 	}

 	if _, ok := s.clientsMesh[c.key]; !ok {
@@ -559,7 +555,7 @@ func (s *Server) unregisterClient(c *sclient) {
 	case nil:
 		c.logf("[unexpected]; clients map is empty")
 	case singleClient:
-		c.debugLogf("removed connection")
+		c.logf("removed connection")
 		delete(s.clients, c.key)
 		if v, ok := s.clientsMesh[c.key]; ok && v == nil {
 			delete(s.clientsMesh, c.key)
@@ -567,7 +563,7 @@ func (s *Server) unregisterClient(c *sclient) {
 		}
 		s.broadcastPeerStateChangeLocked(c.key, false)
 	case *dupClientSet:
-		c.debugLogf("removed duplicate client")
+		c.debug("removed duplicate client")
 		if set.removeClient(c) {
 			s.dupClientConns.Add(-1)
 		} else {
@@ -701,7 +697,7 @@ func (s *Server) accept(ctx context.Context, nc Conn, brw *bufio.ReadWriter, rem
 		done:           ctx.Done(),
 		remoteAddr:     remoteAddr,
 		remoteIPPort:   remoteIPPort,
-		connectedAt:    s.clock.Now(),
+		connectedAt:    time.Now(),
 		sendQueue:      make(chan pkt, perClientSendQueueDepth),
 		discoSendQueue: make(chan pkt, perClientSendQueueDepth),
 		sendPongCh:     make(chan [8]byte, 1),
@@ -716,12 +712,9 @@ func (s *Server) accept(ctx context.Context, nc Conn, brw *bufio.ReadWriter, rem
 	if clientInfo != nil {
 		c.info = *clientInfo
 		if envknob.Bool("DERP_PROBER_DEBUG_LOGS") && clientInfo.IsProber {
-			c.debug = true
+			c.debugLogging = true
 		}
 	}
-	if s.debug {
-		c.debug = true
-	}

 	s.registerClient(c)
 	defer s.unregisterClient(c)
@@ -734,12 +727,6 @@ func (s *Server) accept(ctx context.Context, nc Conn, brw *bufio.ReadWriter, rem
 	return c.run(ctx)
 }

-func (s *Server) debugLogf(format string, v ...any) {
-	if s.debug {
-		s.logf(format, v...)
-	}
-}
-
 // for testing
 var (
 	timeSleep = time.Sleep
@@ -757,20 +744,16 @@ func (c *sclient) run(ctx context.Context) error {
 	defer func() {
 		cancelSender()
 		if err := grp.Wait(); err != nil && !c.s.isClosed() {
-			if errors.Is(err, context.Canceled) {
-				c.debugLogf("sender canceled by reader exiting")
-			} else {
-				c.logf("sender failed: %v", err)
-			}
+			c.logf("sender failed: %v", err)
 		}
 	}()

 	for {
 		ft, fl, err := readFrameHeader(c.br)
-		c.debugLogf("read frame type %d len %d err %v", ft, fl, err)
+		c.debug("read frame type %d len %d err %v", ft, fl, err)
 		if err != nil {
 			if errors.Is(err, io.EOF) {
-				c.debugLogf("read EOF")
+				c.logf("read EOF")
 				return nil
 			}
 			if c.s.isClosed() {
@@ -927,11 +910,11 @@ func (c *sclient) handleFrameForwardPacket(ft frameType, fl uint32) error {
 		return nil
 	}

-	dst.debugLogf("received forwarded packet from %s via %s", srcKey.ShortString(), c.key.ShortString())
+	dst.debug("received forwarded packet from %s via %s", srcKey.ShortString(), c.key.ShortString())

 	return c.sendPkt(dst, pkt{
 		bs:         contents,
-		enqueuedAt: c.s.clock.Now(),
+		enqueuedAt: time.Now(),
 		src:        srcKey,
 	})
 }
@@ -977,7 +960,7 @@ func (c *sclient) handleFrameSendPacket(ft frameType, fl uint32) error {
 		if fwd != nil {
 			s.packetsForwardedOut.Add(1)
 			err := fwd.ForwardPacket(c.key, dstKey, contents)
-			c.debugLogf("SendPacket for %s, forwarding via %s: %v", dstKey.ShortString(), fwd, err)
+			c.debug("SendPacket for %s, forwarding via %s: %v", dstKey.ShortString(), fwd, err)
 			if err != nil {
 				// TODO:
 				return nil
@@ -991,21 +974,21 @@ func (c *sclient) handleFrameSendPacket(ft frameType, fl uint32) error {
 			c.requestPeerGoneWriteLimited(dstKey, contents, PeerGoneReasonNotHere)
 		}
 		s.recordDrop(contents, c.key, dstKey, reason)
-		c.debugLogf("SendPacket for %s, dropping with reason=%s", dstKey.ShortString(), reason)
+		c.debug("SendPacket for %s, dropping with reason=%s", dstKey.ShortString(), reason)
 		return nil
 	}
-	c.debugLogf("SendPacket for %s, sending directly", dstKey.ShortString())
+	c.debug("SendPacket for %s, sending directly", dstKey.ShortString())

 	p := pkt{
 		bs:         contents,
-		enqueuedAt: c.s.clock.Now(),
+		enqueuedAt: time.Now(),
 		src:        c.key,
 	}
 	return c.sendPkt(dst, p)
 }

-func (c *sclient) debugLogf(format string, v ...any) {
-	if c.debug {
+func (c *sclient) debug(format string, v ...any) {
+	if c.debugLogging {
 		c.logf(format, v...)
 	}
 }
@@ -1028,8 +1011,7 @@ const (
 func (s *Server) recordDrop(packetBytes []byte, srcKey, dstKey key.NodePublic, reason dropReason) {
 	s.packetsDropped.Add(1)
 	s.packetsDroppedReasonCounters[reason].Add(1)
-	looksDisco := disco.LooksLikeDiscoWrapper(packetBytes)
-	if looksDisco {
+	if disco.LooksLikeDiscoWrapper(packetBytes) {
 		s.packetsDroppedTypeDisco.Add(1)
 	} else {
 		s.packetsDroppedTypeOther.Add(1)
@@ -1042,7 +1024,9 @@ func (s *Server) recordDrop(packetBytes []byte, srcKey, dstKey key.NodePublic, r
 		msg := fmt.Sprintf("drop (%s) %s -> %s", srcKey.ShortString(), reason, dstKey.ShortString())
 		s.limitedLogf(msg)
 	}
-	s.debugLogf("dropping packet reason=%s dst=%s disco=%v", reason, dstKey, looksDisco)
+	if s.debug {
+		s.logf("dropping packet reason=%s dst=%s disco=%v", reason, dstKey, disco.LooksLikeDiscoWrapper(packetBytes))
+	}
 }

 func (c *sclient) sendPkt(dst *sclient, p pkt) error {
@@ -1060,13 +1044,13 @@ func (c *sclient) sendPkt(dst *sclient, p pkt) error {
 		select {
 		case <-dst.done:
 			s.recordDrop(p.bs, c.key, dstKey, dropReasonGoneDisconnected)
-			dst.debugLogf("sendPkt attempt %d dropped, dst gone", attempt)
+			dst.debug("sendPkt attempt %d dropped, dst gone", attempt)
 			return nil
 		default:
 		}
 		select {
 		case sendQueue <- p:
-			dst.debugLogf("sendPkt attempt %d enqueued", attempt)
+			dst.debug("sendPkt attempt %d enqueued", attempt)
 			return nil
 		default:
 		}
@@ -1082,7 +1066,7 @@ func (c *sclient) sendPkt(dst *sclient, p pkt) error {
 	// contended queue with racing writers. Give up and tail-drop in
 	// this case to keep reader unblocked.
 	s.recordDrop(p.bs, c.key, dstKey, dropReasonQueueTail)
-	dst.debugLogf("sendPkt attempt %d dropped, queue full")
+	dst.debug("sendPkt attempt %d dropped, queue full")

 	return nil
 }
@@ -1320,7 +1304,8 @@ type sclient struct {
 	canMesh        bool             // clientInfo had correct mesh token for inter-region routing
 	isDup          atomic.Bool      // whether more than 1 sclient for key is connected
 	isDisabled     atomic.Bool      // whether sends to this peer are disabled due to active/active dups
-	debug          bool             // turn on for verbose logging
+
+	debugLogging bool

 	// Owned by run, not thread-safe.
 	br          *bufio.Reader
@@ -1391,7 +1376,7 @@ func (c *sclient) setPreferred(v bool) {
 	// graphs, so not important to miss a move. But it shouldn't:
 	// the netcheck/re-STUNs in magicsock only happen about every
 	// 30 seconds.
-	if c.s.clock.Since(c.connectedAt) > 5*time.Second {
+	if time.Since(c.connectedAt) > 5*time.Second {
 		homeMove.Add(1)
 	}
 }
@@ -1405,7 +1390,7 @@ func expMovingAverage(prev, newValue, alpha float64) float64 {

 // recordQueueTime updates the average queue duration metric after a packet has been sent.
 func (c *sclient) recordQueueTime(enqueuedAt time.Time) {
-	elapsed := float64(c.s.clock.Since(enqueuedAt).Milliseconds())
+	elapsed := float64(time.Since(enqueuedAt).Milliseconds())
 	for {
 		old := atomic.LoadUint64(c.s.avgQueueDuration)
 		newAvg := expMovingAverage(math.Float64frombits(old), elapsed, 0.1)
@@ -1435,7 +1420,7 @@ func (c *sclient) sendLoop(ctx context.Context) error {
 	}()

 	jitter := time.Duration(rand.Intn(5000)) * time.Millisecond
-	keepAliveTick, keepAliveTickChannel := c.s.clock.NewTicker(keepAlive + jitter)
+	keepAliveTick := time.NewTicker(keepAlive + jitter)
 	defer keepAliveTick.Stop()

 	var werr error // last write error
@@ -1465,7 +1450,7 @@ func (c *sclient) sendLoop(ctx context.Context) error {
 		case msg := <-c.sendPongCh:
 			werr = c.sendPong(msg)
 			continue
-		case <-keepAliveTickChannel:
+		case <-keepAliveTick.C:
 			werr = c.sendKeepAlive()
 			continue
 		default:
@@ -1494,7 +1479,7 @@ func (c *sclient) sendLoop(ctx context.Context) error {
 		case msg := <-c.sendPongCh:
 			werr = c.sendPong(msg)
 			continue
-		case <-keepAliveTickChannel:
+		case <-keepAliveTick.C:
 			werr = c.sendKeepAlive()
 		}
 	}
@@ -1608,7 +1593,7 @@ func (c *sclient) sendPacket(srcKey key.NodePublic, contents []byte) (err error)
 			c.s.packetsSent.Add(1)
 			c.s.bytesSent.Add(int64(len(contents)))
 		}
-		c.debugLogf("sendPacket from %s: %v", srcKey.ShortString(), err)
+		c.debug("sendPacket from %s: %v", srcKey.ShortString(), err)
 	}()

 	c.setWriteDeadline()
--- a/derp/derp_server_linux.go
+++ b/derp/derp_server_linux.go
@@ -9,37 +9,45 @@ import (
 	"net"
 	"time"

-	"tailscale.com/net/tcpinfo"
+	"golang.org/x/sys/unix"
 )

 func (c *sclient) statsLoop(ctx context.Context) error {
-	// Get the RTT initially to verify it's supported.
-	conn := c.tcpConn()
-	if conn == nil {
+	// If we can't get a TCP socket, then we can't send stats.
+	tcpConn := c.tcpConn()
+	if tcpConn == nil {
 		c.s.tcpRtt.Add("non-tcp", 1)
 		return nil
 	}
-	if _, err := tcpinfo.RTT(conn); err != nil {
-		c.logf("error fetching initial RTT: %v", err)
+	rawConn, err := tcpConn.SyscallConn()
+	if err != nil {
+		c.logf("error getting SyscallConn: %v", err)
 		c.s.tcpRtt.Add("error", 1)
 		return nil
 	}

 	const statsInterval = 10 * time.Second

-	ticker, tickerChannel := c.s.clock.NewTicker(statsInterval)
+	ticker := time.NewTicker(statsInterval)
 	defer ticker.Stop()

+	var (
+		tcpInfo *unix.TCPInfo
+		sysErr  error
+	)
 statsLoop:
 	for {
 		select {
-		case <-tickerChannel:
-			rtt, err := tcpinfo.RTT(conn)
-			if err != nil {
+		case <-ticker.C:
+			err = rawConn.Control(func(fd uintptr) {
+				tcpInfo, sysErr = unix.GetsockoptTCPInfo(int(fd), unix.IPPROTO_TCP, unix.TCP_INFO)
+			})
+			if err != nil || sysErr != nil {
 				continue statsLoop
 			}

 			// TODO(andrew): more metrics?
+			rtt := time.Duration(tcpInfo.Rtt) * time.Microsecond
 			c.s.tcpRtt.Add(durationToLabel(rtt), 1)

 		case <-ctx.Done():
--- a/derp/derp_test.go
+++ b/derp/derp_test.go
@@ -27,7 +27,6 @@ import (
 	"golang.org/x/time/rate"
 	"tailscale.com/disco"
 	"tailscale.com/net/memnet"
-	"tailscale.com/tstest"
 	"tailscale.com/types/key"
 	"tailscale.com/types/logger"
 )
@@ -991,10 +990,9 @@ func TestClientRecv(t *testing.T) {
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			c := &Client{
-				nc:    dummyNetConn{},
-				br:    bufio.NewReader(bytes.NewReader(tt.input)),
-				logf:  t.Logf,
-				clock: &tstest.Clock{},
+				nc:   dummyNetConn{},
+				br:   bufio.NewReader(bytes.NewReader(tt.input)),
+				logf: t.Logf,
 			}
 			got, err := c.Recv()
 			if err != nil {
@@ -1437,8 +1435,7 @@ func (w *countWriter) ResetStats() {
 func TestClientSendRateLimiting(t *testing.T) {
 	cw := new(countWriter)
 	c := &Client{
-		bw:    bufio.NewWriter(cw),
-		clock: &tstest.Clock{},
+		bw: bufio.NewWriter(cw),
 	}
 	c.setSendRateLimiter(ServerInfoMessage{})

--- a/derp/derphttp/derphttp_client.go
+++ b/derp/derphttp/derphttp_client.go
@@ -38,10 +38,8 @@ import (
 	"tailscale.com/net/tshttpproxy"
 	"tailscale.com/syncs"
 	"tailscale.com/tailcfg"
-	"tailscale.com/tstime"
 	"tailscale.com/types/key"
 	"tailscale.com/types/logger"
-	"tailscale.com/util/cmpx"
 )

 // Client is a DERP-over-HTTP client.
@@ -84,7 +82,6 @@ type Client struct {
 	serverPubKey key.NodePublic
 	tlsState     *tls.ConnectionState
 	pingOut      map[derp.PingMessage]chan<- bool // chan to send to on pong
-	clock        tstime.Clock
 }

 func (c *Client) String() string {
@@ -103,7 +100,6 @@ func NewRegionClient(privateKey key.NodePrivate, logf logger.Logf, netMon *netmo
 		getRegion:  getRegion,
 		ctx:        ctx,
 		cancelCtx:  cancel,
-		clock:      tstime.StdClock{},
 	}
 	return c
 }
@@ -111,7 +107,7 @@ func NewRegionClient(privateKey key.NodePrivate, logf logger.Logf, netMon *netmo
 // NewNetcheckClient returns a Client that's only able to have its DialRegionTLS method called.
 // It's used by the netcheck package.
 func NewNetcheckClient(logf logger.Logf) *Client {
-	return &Client{logf: logf, clock: tstime.StdClock{}}
+	return &Client{logf: logf}
 }

 // NewClient returns a new DERP-over-HTTP client. It connects lazily.
@@ -132,7 +128,6 @@ func NewClient(privateKey key.NodePrivate, serverURL string, logf logger.Logf) (
 		url:        u,
 		ctx:        ctx,
 		cancelCtx:  cancel,
-		clock:      tstime.StdClock{},
 	}
 	return c, nil
 }
@@ -648,18 +643,21 @@ func (c *Client) dialNode(ctx context.Context, n *tailcfg.DERPNode) (net.Conn, e
 		nwait++
 		go func() {
 			if proto == "tcp4" && c.preferIPv6() {
-				t, tChannel := c.clock.NewTimer(200 * time.Millisecond)
+				t := time.NewTimer(200 * time.Millisecond)
 				select {
 				case <-ctx.Done():
 					// Either user canceled original context,
 					// it timed out, or the v6 dial succeeded.
 					t.Stop()
 					return
-				case <-tChannel:
+				case <-t.C:
 					// Start v4 dial
 				}
 			}
-			dst := cmpx.Or(dstPrimary, n.HostName)
+			dst := dstPrimary
+			if dst == "" {
+				dst = n.HostName
+			}
 			port := "443"
 			if n.DERPPort != 0 {
 				port = fmt.Sprint(n.DERPPort)
--- a/derp/derphttp/mesh_client.go
+++ b/derp/derphttp/mesh_client.go
@@ -51,7 +51,7 @@ func (c *Client) RunWatchConnectionLoop(ctx context.Context, ignoreServerKey key
 		present = map[key.NodePublic]bool{}
 	}
 	lastConnGen := 0
-	lastStatus := c.clock.Now()
+	lastStatus := time.Now()
 	logConnectedLocked := func() {
 		if loggedConnected {
 			return
@@ -61,7 +61,7 @@ func (c *Client) RunWatchConnectionLoop(ctx context.Context, ignoreServerKey key
 	}

 	const logConnectedDelay = 200 * time.Millisecond
-	timer := c.clock.AfterFunc(2*time.Second, func() {
+	timer := time.AfterFunc(2*time.Second, func() {
 		mu.Lock()
 		defer mu.Unlock()
 		logConnectedLocked()
@@ -91,11 +91,11 @@ func (c *Client) RunWatchConnectionLoop(ctx context.Context, ignoreServerKey key
 	}

 	sleep := func(d time.Duration) {
-		t, tChannel := c.clock.NewTimer(d)
+		t := time.NewTimer(d)
 		select {
 		case <-ctx.Done():
 			t.Stop()
-		case <-tChannel:
+		case <-t.C:
 		}
 	}

@@ -142,7 +142,7 @@ func (c *Client) RunWatchConnectionLoop(ctx context.Context, ignoreServerKey key
 			default:
 				continue
 			}
-			if now := c.clock.Now(); now.Sub(lastStatus) > statusInterval {
+			if now := time.Now(); now.Sub(lastStatus) > statusInterval {
 				lastStatus = now
 				infoLogf("%d peers", len(present))
 			}
--- a/disco/disco.go
+++ b/disco/disco.go
@@ -94,9 +94,6 @@ type Message interface {
 	AppendMarshal([]byte) []byte
 }

-// MessageHeaderLen is the length of a message header, 2 bytes for type and version.
-const MessageHeaderLen = 2
-
 // appendMsgHeader appends two bytes (for t and ver) and then also
 // dataLen bytes to b, returning the appended slice in all. The
 // returned data slice is a subslice of all with just dataLen bytes of
@@ -120,24 +117,15 @@ type Ping struct {
 	// netmap data to reduce the discokey:nodekey relation from 1:N to
 	// 1:1.
 	NodeKey key.NodePublic
-
-	// Padding is the number of 0 bytes at the end of the
-	// message. (It's used to probe path MTU.)
-	Padding int
 }

-// PingLen is the length of a marshalled ping message, without the message
-// header or padding.
-const PingLen = 12 + key.NodePublicRawLen
-
 func (m *Ping) AppendMarshal(b []byte) []byte {
 	dataLen := 12
 	hasKey := !m.NodeKey.IsZero()
 	if hasKey {
 		dataLen += key.NodePublicRawLen
 	}
-
-	ret, d := appendMsgHeader(b, TypePing, v0, dataLen+m.Padding)
+	ret, d := appendMsgHeader(b, TypePing, v0, dataLen)
 	n := copy(d, m.TxID[:])
 	if hasKey {
 		m.NodeKey.AppendTo(d[:n])
@@ -150,14 +138,11 @@ func parsePing(ver uint8, p []byte) (m *Ping, err error) {
 		return nil, errShort
 	}
 	m = new(Ping)
-	m.Padding = len(p)
 	p = p[copy(m.TxID[:], p):]
-	m.Padding -= 12
 	// Deliberately lax on longer-than-expected messages, for future
 	// compatibility.
 	if len(p) >= key.NodePublicRawLen {
 		m.NodeKey = key.NodePublicFromRaw32(mem.B(p[:key.NodePublicRawLen]))
-		m.Padding -= key.NodePublicRawLen
 	}
 	return m, nil
 }
@@ -229,8 +214,6 @@ type Pong struct {
 	Src  netip.AddrPort // 18 bytes (16+2) on the wire; v4-mapped ipv6 for IPv4
 }

-// pongLen is the length of a marshalled pong message, without the message
-// header.
 const pongLen = 12 + 16 + 2

 func (m *Pong) AppendMarshal(b []byte) []byte {
--- a/disco/disco_test.go
+++ b/disco/disco_test.go
@@ -35,23 +35,6 @@ func TestMarshalAndParse(t *testing.T) {
 			},
 			want: "01 00 01 02 03 04 05 06 07 08 09 0a 0b 0c 00 01 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1e 1f",
 		},
-		{
-			name: "ping_with_padding",
-			m: &Ping{
-				TxID:    [12]byte{1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12},
-				Padding: 3,
-			},
-			want: "01 00 01 02 03 04 05 06 07 08 09 0a 0b 0c 00 00 00",
-		},
-		{
-			name: "ping_with_padding_and_nodekey_src",
-			m: &Ping{
-				TxID:    [12]byte{1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12},
-				NodeKey: key.NodePublicFromRaw32(mem.B([]byte{1: 1, 2: 2, 30: 30, 31: 31})),
-				Padding: 3,
-			},
-			want: "01 00 01 02 03 04 05 06 07 08 09 0a 0b 0c 00 01 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1e 1f 00 00 00",
-		},
 		{
 			name: "pong",
 			m: &Pong{
--- a/disco/pcap.go
+++ b/disco/pcap.go
@@ -1,40 +0,0 @@
-// Copyright (c) Tailscale Inc & AUTHORS
-// SPDX-License-Identifier: BSD-3-Clause
-
-package disco
-
-import (
-	"bytes"
-	"encoding/binary"
-	"net/netip"
-
-	"tailscale.com/tailcfg"
-	"tailscale.com/types/key"
-)
-
-// ToPCAPFrame marshals the bytes for a pcap record that describe a disco frame.
-//
-// Warning: Alloc garbage. Acceptable while capturing.
-func ToPCAPFrame(src netip.AddrPort, derpNodeSrc key.NodePublic, payload []byte) []byte {
-	var (
-		b    bytes.Buffer
-		flag uint8
-	)
-	b.Grow(128) // Most disco frames will probably be smaller than this.
-
-	if src.Addr() == tailcfg.DerpMagicIPAddr {
-		flag |= 0x01
-	}
-	b.WriteByte(flag) // 1b: flag
-
-	derpSrc := derpNodeSrc.Raw32()
-	b.Write(derpSrc[:])                                       // 32b: derp public key
-	binary.Write(&b, binary.LittleEndian, uint16(src.Port())) // 2b: port
-	addr, _ := src.Addr().MarshalBinary()
-	binary.Write(&b, binary.LittleEndian, uint16(len(addr)))    // 2b: len(addr)
-	b.Write(addr)                                               // Xb: addr
-	binary.Write(&b, binary.LittleEndian, uint16(len(payload))) // 2b: len(payload)
-	b.Write(payload)                                            // Xb: payload
-
-	return b.Bytes()
-}
--- a/docs/k8s/Makefile
+++ b/docs/k8s/Makefile
@@ -6,20 +6,22 @@ SA_NAME ?= tailscale
 TS_KUBE_SECRET ?= tailscale

 rbac:
-	@sed -e "s;{{TS_KUBE_SECRET}};$(TS_KUBE_SECRET);g" role.yaml
-	@echo "---"
-	@sed -e "s;{{SA_NAME}};$(SA_NAME);g" rolebinding.yaml
-	@echo "---"
-	@sed -e "s;{{SA_NAME}};$(SA_NAME);g" sa.yaml
+	@sed -e "s;{{TS_KUBE_SECRET}};$(TS_KUBE_SECRET);g" role.yaml | kubectl apply -f -
+	@sed -e "s;{{SA_NAME}};$(SA_NAME);g" rolebinding.yaml | kubectl apply -f -
+	@sed -e "s;{{SA_NAME}};$(SA_NAME);g" sa.yaml | kubectl apply -f -

 sidecar:
-	@sed -e "s;{{TS_KUBE_SECRET}};$(TS_KUBE_SECRET);g" sidecar.yaml | sed -e "s;{{SA_NAME}};$(SA_NAME);g"
+	@kubectl delete -f sidecar.yaml --ignore-not-found --grace-period=0
+	@sed -e "s;{{TS_KUBE_SECRET}};$(TS_KUBE_SECRET);g" sidecar.yaml | sed -e "s;{{SA_NAME}};$(SA_NAME);g" | kubectl create -f-

 userspace-sidecar:
-	@sed -e "s;{{TS_KUBE_SECRET}};$(TS_KUBE_SECRET);g" userspace-sidecar.yaml | sed -e "s;{{SA_NAME}};$(SA_NAME);g"
+	@kubectl delete -f userspace-sidecar.yaml --ignore-not-found --grace-period=0
+	@sed -e "s;{{TS_KUBE_SECRET}};$(TS_KUBE_SECRET);g" userspace-sidecar.yaml | sed -e "s;{{SA_NAME}};$(SA_NAME);g" | kubectl create -f-

 proxy:
-	@sed -e "s;{{TS_KUBE_SECRET}};$(TS_KUBE_SECRET);g" proxy.yaml | sed -e "s;{{SA_NAME}};$(SA_NAME);g" | sed -e "s;{{TS_DEST_IP}};$(TS_DEST_IP);g"
+	kubectl delete -f proxy.yaml --ignore-not-found --grace-period=0
+	sed -e "s;{{TS_KUBE_SECRET}};$(TS_KUBE_SECRET);g" proxy.yaml | sed -e "s;{{SA_NAME}};$(SA_NAME);g" | sed -e "s;{{TS_DEST_IP}};$(TS_DEST_IP);g" | kubectl create -f-

 subnet-router:
-	@sed -e "s;{{TS_KUBE_SECRET}};$(TS_KUBE_SECRET);g" subnet.yaml | sed -e "s;{{SA_NAME}};$(SA_NAME);g" | sed -e "s;{{TS_ROUTES}};$(TS_ROUTES);g"
+	@kubectl delete -f subnet.yaml --ignore-not-found --grace-period=0
+	@sed -e "s;{{TS_KUBE_SECRET}};$(TS_KUBE_SECRET);g" subnet.yaml | sed -e "s;{{SA_NAME}};$(SA_NAME);g" | sed -e "s;{{TS_ROUTES}};$(TS_ROUTES);g" | kubectl create -f-
--- a/docs/k8s/README.md
+++ b/docs/k8s/README.md
@@ -26,7 +26,7 @@ There are quite a few ways of running Tailscale inside a Kubernetes Cluster, som
   ```bash
   export SA_NAME=tailscale
   export TS_KUBE_SECRET=tailscale-auth
-   make rbac | kubectl apply -f-
+   make rbac
   ```

 ### Sample Sidecar
@@ -36,7 +36,7 @@ Running as a sidecar allows you to directly expose a Kubernetes pod over Tailsca
 1. Create and login to the sample nginx pod with a Tailscale sidecar

   ```bash
-   make sidecar | kubectl apply -f-
+   make sidecar
   # If not using an auth key, authenticate by grabbing the Login URL here:
   kubectl logs nginx ts-sidecar
   ```
@@ -60,7 +60,7 @@ You can also run the sidecar in userspace mode. The obvious benefit is reducing
 1. Create and login to the sample nginx pod with a Tailscale sidecar

   ```bash
-   make userspace-sidecar | kubectl apply -f-
+   make userspace-sidecar
   # If not using an auth key, authenticate by grabbing the Login URL here:
   kubectl logs nginx ts-sidecar
   ```
@@ -100,7 +100,7 @@ Running a Tailscale proxy allows you to provide inbound connectivity to a Kubern
 1. Deploy the proxy pod

   ```bash
-   make proxy | kubectl apply -f-
+   make proxy
   # If not using an auth key, authenticate by grabbing the Login URL here:
   kubectl logs proxy
   ```
@@ -133,7 +133,7 @@ the entire Kubernetes cluster network (assuming NetworkPolicies allow) over Tail
 1. Deploy the subnet-router pod.

   ```bash
-   make subnet-router | kubectl apply -f-
+   make subnet-router
   # If not using an auth key, authenticate by grabbing the Login URL here:
   kubectl logs subnet-router
   ```
--- a/flake.nix
+++ b/flake.nix
@@ -115,4 +115,4 @@
  in
    flake-utils.lib.eachDefaultSystem (system: flakeForSystem nixpkgs system);
 }
-# nix-direnv cache busting line: sha256-hWfdcvm2ief313JMgzDIispAnwi+D1iWsm0UHWOomxg=
+# nix-direnv cache busting line: sha256-7L+dvS++UNfMVcPUCbK/xuBPwtrzW4RpZTtcl7VCwQs=
--- a/go.mod
+++ b/go.mod
@@ -24,7 +24,7 @@ require (
 	github.com/frankban/quicktest v1.14.5
 	github.com/fxamacker/cbor/v2 v2.4.0
 	github.com/go-json-experiment/json v0.0.0-20230321051131-ccbac49a6929
-	github.com/go-logr/zapr v1.2.4
+	github.com/go-logr/zapr v1.2.3
 	github.com/go-ole/go-ole v1.2.6
 	github.com/godbus/dbus/v5 v5.1.0
 	github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da
@@ -48,7 +48,7 @@ require (
 	github.com/mdlayher/genetlink v1.3.2
 	github.com/mdlayher/netlink v1.7.2
 	github.com/mdlayher/sdnotify v1.0.0
-	github.com/miekg/dns v1.1.55
+	github.com/miekg/dns v1.1.54
 	github.com/mitchellh/go-ps v1.0.0
 	github.com/peterbourgon/ff/v3 v3.3.0
 	github.com/pkg/errors v0.9.1
@@ -59,31 +59,30 @@ require (
 	github.com/tailscale/certstore v0.1.1-0.20220316223106-78d6e1c49d8d
 	github.com/tailscale/depaware v0.0.0-20210622194025-720c4b409502
 	github.com/tailscale/goexpect v0.0.0-20210902213824-6e8c725cea41
-	github.com/tailscale/golang-x-crypto v0.0.0-20230713185742-f0b76a10a08e
+	github.com/tailscale/golang-x-crypto v0.0.0-20221115211329-17a3db2c30d2
 	github.com/tailscale/goupnp v1.0.1-0.20210804011211-c64d0f06ea05
 	github.com/tailscale/hujson v0.0.0-20221223112325-20486734a56a
 	github.com/tailscale/mkctr v0.0.0-20220601142259-c0b937af2e89
 	github.com/tailscale/netlink v1.1.1-0.20211101221916-cabfb018fe85
-	github.com/tailscale/wireguard-go v0.0.0-20230710185534-bb2c8f22eccf
+	github.com/tailscale/wireguard-go v0.0.0-20230410165232-af172621b4dd
 	github.com/tc-hib/winres v0.2.0
 	github.com/tcnksm/go-httpstat v0.2.0
 	github.com/toqueteos/webbrowser v1.2.0
 	github.com/u-root/u-root v0.11.0
 	github.com/vishvananda/netlink v1.2.1-beta.2
-	github.com/vishvananda/netns v0.0.4
 	go.uber.org/zap v1.24.0
 	go4.org/mem v0.0.0-20220726221520-4f986261bf13
 	go4.org/netipx v0.0.0-20230303233057-f1b76eb4bb35
-	golang.org/x/crypto v0.11.0
+	golang.org/x/crypto v0.8.0
 	golang.org/x/exp v0.0.0-20230425010034-47ecfdc1ba53
 	golang.org/x/mod v0.10.0
-	golang.org/x/net v0.10.0
+	golang.org/x/net v0.9.0
 	golang.org/x/oauth2 v0.7.0
 	golang.org/x/sync v0.2.0
-	golang.org/x/sys v0.10.0
-	golang.org/x/term v0.10.0
+	golang.org/x/sys v0.8.0
+	golang.org/x/term v0.7.0
 	golang.org/x/time v0.3.0
-	golang.org/x/tools v0.9.1
+	golang.org/x/tools v0.8.0
 	golang.zx2c4.com/wintun v0.0.0-20230126152724-0fa3db229ce2
 	golang.zx2c4.com/wireguard/windows v0.5.3
 	gvisor.dev/gvisor v0.0.0-20230504175454-7b0a1988a28f
@@ -91,11 +90,11 @@ require (
 	inet.af/peercred v0.0.0-20210906144145-0893ea02156a
 	inet.af/tcpproxy v0.0.0-20221017015627-91f861402626
 	inet.af/wf v0.0.0-20221017222439-36129f591884
-	k8s.io/api v0.27.2
-	k8s.io/apimachinery v0.27.2
-	k8s.io/client-go v0.27.2
+	k8s.io/api v0.26.1
+	k8s.io/apimachinery v0.26.1
+	k8s.io/client-go v0.26.1
 	nhooyr.io/websocket v1.8.7
-	sigs.k8s.io/controller-runtime v0.15.0
+	sigs.k8s.io/controller-runtime v0.14.6
 	sigs.k8s.io/yaml v1.3.0
 	software.sslmate.com/src/go-pkcs12 v0.2.0
 )
@@ -155,7 +154,7 @@ require (
 	github.com/davecgh/go-spew v1.1.1 // indirect
 	github.com/denis-tingaikin/go-header v0.4.3 // indirect
 	github.com/docker/cli v23.0.5+incompatible // indirect
-	github.com/docker/distribution v2.8.2+incompatible // indirect
+	github.com/docker/distribution v2.8.1+incompatible // indirect
 	github.com/docker/docker v23.0.5+incompatible // indirect
 	github.com/docker/docker-credential-helpers v0.7.0 // indirect
 	github.com/emicklei/go-restful/v3 v3.10.2 // indirect
@@ -323,6 +322,7 @@ require (
 	github.com/ultraware/whitespace v0.0.5 // indirect
 	github.com/uudashr/gocognit v1.0.6 // indirect
 	github.com/vbatts/tar-split v0.11.2 // indirect
+	github.com/vishvananda/netns v0.0.4 // indirect
 	github.com/x448/float16 v0.8.4 // indirect
 	github.com/xanzy/ssh-agent v0.3.3 // indirect
 	github.com/yagipy/maintidx v1.0.0 // indirect
@@ -333,8 +333,8 @@ require (
 	go.uber.org/multierr v1.11.0 // indirect
 	golang.org/x/exp/typeparams v0.0.0-20230425010034-47ecfdc1ba53 // indirect
 	golang.org/x/image v0.7.0 // indirect
-	golang.org/x/text v0.11.0 // indirect
-	gomodules.xyz/jsonpatch/v2 v2.3.0 // indirect
+	golang.org/x/text v0.9.0 // indirect
+	gomodules.xyz/jsonpatch/v2 v2.2.0 // indirect
 	google.golang.org/appengine v1.6.7 // indirect
 	google.golang.org/protobuf v1.30.0 // indirect
 	gopkg.in/inf.v0 v0.9.1 // indirect
@@ -343,8 +343,8 @@ require (
 	gopkg.in/yaml.v2 v2.4.0 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 	howett.net/plist v1.0.0 // indirect
-	k8s.io/apiextensions-apiserver v0.27.2 // indirect
-	k8s.io/component-base v0.27.2 // indirect
+	k8s.io/apiextensions-apiserver v0.26.1 // indirect
+	k8s.io/component-base v0.26.1 // indirect
 	k8s.io/klog/v2 v2.100.1 // indirect
 	k8s.io/kube-openapi v0.0.0-20230501164219-8b0f38b5fd1f // indirect
 	k8s.io/utils v0.0.0-20230406110748-d93618cff8a2 // indirect
--- a/go.mod.sri
+++ b/go.mod.sri
@@ -1 +1 @@
-sha256-hWfdcvm2ief313JMgzDIispAnwi+D1iWsm0UHWOomxg=
+sha256-7L+dvS++UNfMVcPUCbK/xuBPwtrzW4RpZTtcl7VCwQs=
--- a/go.sum
+++ b/go.sum
@@ -249,8 +249,8 @@ github.com/dgrijalva/jwt-go v3.2.0+incompatible/go.mod h1:E3ru+11k8xSBh+hMPgOLZm
 github.com/dgryski/go-sip13 v0.0.0-20181026042036-e10d5fee7954/go.mod h1:vAd38F8PWV+bWy6jNmig1y/TA+kYO4g3RSRF0IAv0no=
 github.com/docker/cli v23.0.5+incompatible h1:ufWmAOuD3Vmr7JP2G5K3cyuNC4YZWiAsuDEvFVVDafE=
 github.com/docker/cli v23.0.5+incompatible/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8=
-github.com/docker/distribution v2.8.2+incompatible h1:T3de5rq0dB1j30rp0sA2rER+m322EBzniBPB6ZIzuh8=
-github.com/docker/distribution v2.8.2+incompatible/go.mod h1:J2gT2udsDAN96Uj4KfcMRqY0/ypR+oyYUYmja8H+y+w=
+github.com/docker/distribution v2.8.1+incompatible h1:Q50tZOPR6T/hjNsyc9g8/syEs6bk8XXApsHjKukMl68=
+github.com/docker/distribution v2.8.1+incompatible/go.mod h1:J2gT2udsDAN96Uj4KfcMRqY0/ypR+oyYUYmja8H+y+w=
 github.com/docker/docker v23.0.5+incompatible h1:DaxtlTJjFSnLOXVNUBU1+6kXGz2lpDoEAH6QoxaSg8k=
 github.com/docker/docker v23.0.5+incompatible/go.mod h1:eEKB0N0r5NX/I1kEveEz05bcu8tLC/8azJZsviup8Sk=
 github.com/docker/docker-credential-helpers v0.7.0 h1:xtCHsjxogADNZcdv1pKUHXryefjlVRqWqIhk/uXJp0A=
@@ -274,6 +274,7 @@ github.com/esimonov/ifshort v1.0.4 h1:6SID4yGWfRae/M7hkVDVVyppy8q/v9OuxNdmjLQStB
 github.com/esimonov/ifshort v1.0.4/go.mod h1:Pe8zjlRrJ80+q2CxHLfEOfTwxCZ4O+MuhcHcfgNWTk0=
 github.com/ettle/strcase v0.1.1 h1:htFueZyVeE1XNnMEfbqp5r67qAN/4r6ya1ysq8Q+Zcw=
 github.com/ettle/strcase v0.1.1/go.mod h1:hzDLsPC7/lwKyBOywSHEP89nt2pDgdy+No1NBA9o9VY=
+github.com/evanphx/json-patch v0.5.2/go.mod h1:ZWS5hhDbVDyob71nXKNL0+PWn6ToqBHMikGIFbs31qQ=
 github.com/evanphx/json-patch v5.6.0+incompatible h1:jBYDEEiFBPxA0v50tFdvOzQQTCvpL6mnFh5mB2/l16U=
 github.com/evanphx/json-patch v5.6.0+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQLiYLvXMP4fmwYFNcr97nuDLSk=
 github.com/evanphx/json-patch/v5 v5.6.0 h1:b91NhWfaz02IuVxO9faSllyAtNXHMPkC5J8sJCLunww=
@@ -338,10 +339,11 @@ github.com/go-logfmt/logfmt v0.3.0/go.mod h1:Qt1PoO58o5twSAckw1HlFXLmHsOX5/0LbT9
 github.com/go-logfmt/logfmt v0.4.0/go.mod h1:3RMwSq7FuexP4Kalkev3ejPJsZTpXXBr9+V4qmtdjCk=
 github.com/go-logfmt/logfmt v0.5.0/go.mod h1:wCYkCAKZfumFQihp8CzCvQ3paCTfi41vtzG1KdI/P7A=
 github.com/go-logr/logr v1.2.0/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A=
+github.com/go-logr/logr v1.2.2/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A=
 github.com/go-logr/logr v1.2.4 h1:g01GSCwiDw2xSZfjJ2/T9M+S6pFdcNtFYsp+Y43HYDQ=
 github.com/go-logr/logr v1.2.4/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A=
-github.com/go-logr/zapr v1.2.4 h1:QHVo+6stLbfJmYGkQ7uGHUCu5hnAFAj6mDe6Ea0SeOo=
-github.com/go-logr/zapr v1.2.4/go.mod h1:FyHWQIzQORZ0QVE1BtVHv3cKtNLuXsbNLtpuhNapBOA=
+github.com/go-logr/zapr v1.2.3 h1:a9vnzlIBPQBBkeaR9IuMUfmVOrQlkoC4YfPoFkX3T7A=
+github.com/go-logr/zapr v1.2.3/go.mod h1:eIauM6P8qSvTw5o2ez6UEAfGjQKrxQTl5EoK+Qa2oG4=
 github.com/go-ole/go-ole v1.2.1/go.mod h1:7FAglXiTm7HKlQRDeOQ6ZNUHidzCWXuZWq/1dTyBNF8=
 github.com/go-ole/go-ole v1.2.6 h1:/Fpf6oFPoeFik9ty7siob0G6Ke8QvQEuVcuChpwXzpY=
 github.com/go-ole/go-ole v1.2.6/go.mod h1:pprOEPIfldk/42T2oK7lQ4v4JSDwmV0As9GaiUsvbm0=
@@ -360,7 +362,6 @@ github.com/go-playground/validator/v10 v10.2.0 h1:KgJ0snyC2R9VXYN2rneOtQcw5aHQB1
 github.com/go-playground/validator/v10 v10.2.0/go.mod h1:uOYAAleCW8F/7oMFd6aG0GOhaH6EGOAJShg8Id5JGkI=
 github.com/go-sql-driver/mysql v1.4.0/go.mod h1:zAC/RDZ24gD3HViQzih4MyKcchzm+sOG5ZlKdlhCg5w=
 github.com/go-stack/stack v1.8.0/go.mod h1:v0f6uXyyMGvRgIKkXu+yp6POWl0qKG85gN/melR3HDY=
-github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572 h1:tfuBGBXKqDEevZMzYi5KSi8KkcZtzBcTgAUUtapy0OI=
 github.com/go-toolsmith/astcast v1.0.0/go.mod h1:mt2OdQTeAQcY4DQgPSArJjHCcOwlX+Wl/kwN+LbLGQ4=
 github.com/go-toolsmith/astcast v1.1.0 h1:+JN9xZV1A+Re+95pgnMgDboWNVnIMMQXwfBwLRPgSC8=
 github.com/go-toolsmith/astcast v1.1.0/go.mod h1:qdcuFWeGGS2xX5bLM/c3U9lewg7+Zu4mr+xPwZIB4ZU=
@@ -513,7 +514,6 @@ github.com/google/pprof v0.0.0-20200708004538-1a94d8640e99/go.mod h1:ZgVRPoUq/hf
 github.com/google/pprof v0.0.0-20201023163331-3e6fc7fc9c4c/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE=
 github.com/google/pprof v0.0.0-20201203190320-1bf35d6f28c2/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE=
 github.com/google/pprof v0.0.0-20201218002935-b9804c9f04c2/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE=
-github.com/google/pprof v0.0.0-20210720184732-4bb14d4b1be1 h1:K6RDEckDVWvDI9JAJYCmNdQXq6neHJOYx3V6jnqNEec=
 github.com/google/renameio v0.1.0/go.mod h1:KWCgfxg9yswjAJkECMjeO8J8rahYeXnNhOm40UhjYkI=
 github.com/google/rpmpack v0.0.0-20201206194719-59e495f2b7e1/go.mod h1:+y9lKiqDhR4zkLl+V9h4q0rdyrYVsWWm6LLCQP33DIk=
 github.com/google/rpmpack v0.0.0-20221120200012-98b63d62fd77 h1:+C0+foB1Bm0WYdbaDIuUGEVG1Eqx9WWcGUoJBSLdZo0=
@@ -767,8 +767,8 @@ github.com/mdlayher/socket v0.4.1/go.mod h1:cAqeGjoufqdxWkD7DkpyS+wcefOtmu5OQ8Ku
 github.com/mgechev/revive v1.3.1 h1:OlQkcH40IB2cGuprTPcjB0iIUddgVZgGmDX3IAMR8D4=
 github.com/mgechev/revive v1.3.1/go.mod h1:YlD6TTWl2B8A103R9KWJSPVI9DrEf+oqr15q21Ld+5I=
 github.com/miekg/dns v1.0.14/go.mod h1:W1PPwlIAgtquWBMBEV9nkV9Cazfe8ScdGz/Lj7v3Nrg=
-github.com/miekg/dns v1.1.55 h1:GoQ4hpsj0nFLYe+bWiCToyrBEJXkQfOOIvFGFy0lEgo=
-github.com/miekg/dns v1.1.55/go.mod h1:uInx36IzPl7FYnDcMeVWxj9byh7DutNykX4G9Sj60FY=
+github.com/miekg/dns v1.1.54 h1:5jon9mWcb0sFJGpnI99tOMhCPyJ+RPVz5b63MQG0VWI=
+github.com/miekg/dns v1.1.54/go.mod h1:uInx36IzPl7FYnDcMeVWxj9byh7DutNykX4G9Sj60FY=
 github.com/mitchellh/cli v1.0.0/go.mod h1:hNIlj7HEI86fIcpObd7a0FcrxTWetlwJDGcceTlRvqc=
 github.com/mitchellh/copystructure v1.0.0/go.mod h1:SNtv71yrdKgLRyLFxmLdkAbkKEFWgYaq1OVrnRcwhnw=
 github.com/mitchellh/copystructure v1.2.0 h1:vpKXTN4ewci03Vljg/q9QvCGUDttBOGBIa15WveJJGw=
@@ -831,11 +831,11 @@ github.com/onsi/ginkgo v1.6.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+W
 github.com/onsi/ginkgo v1.12.1/go.mod h1:zj2OWP4+oCPe1qIXoGWkgMRwljMUYCdkwsT2108oapk=
 github.com/onsi/ginkgo v1.14.1 h1:jMU0WaQrP0a/YAEq8eJmJKjBoMs+pClEr1vDMlM/Do4=
 github.com/onsi/ginkgo v1.14.1/go.mod h1:iSB4RoI2tjJc9BBv4NKIKWKya62Rps+oPG/Lv9klQyY=
-github.com/onsi/ginkgo/v2 v2.9.5 h1:+6Hr4uxzP4XIUyAkg61dWBw8lb/gc4/X5luuxN/EC+Q=
+github.com/onsi/ginkgo/v2 v2.8.0 h1:pAM+oBNPrpXRs+E/8spkeGx9QgekbRVyr74EUvRVOUI=
 github.com/onsi/gomega v1.7.1/go.mod h1:XdKZgCCFLUoM/7CFJVPcG8C1xQ1AJ0vpAezJrB7JYyY=
 github.com/onsi/gomega v1.10.1/go.mod h1:iN09h71vgCQne3DLsj+A5owkum+a2tYe+TOCB1ybHNo=
 github.com/onsi/gomega v1.10.2/go.mod h1:iN09h71vgCQne3DLsj+A5owkum+a2tYe+TOCB1ybHNo=
-github.com/onsi/gomega v1.27.7 h1:fVih9JD6ogIiHUN6ePK7HJidyEDpWGVB5mzM7cWNXoU=
+github.com/onsi/gomega v1.26.0 h1:03cDLK28U6hWvCAns6NeydX3zIm4SF3ci69ulidS32Q=
 github.com/op/go-logging v0.0.0-20160315200505-970db520ece7/go.mod h1:HzydrMdWErDVzsI23lYNej1Htcns9BCg93Dk0bBINWk=
 github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8Oi/yOhh5U=
 github.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3IKzErnv2BNG4W4MAM=
@@ -1054,8 +1054,8 @@ github.com/tailscale/depaware v0.0.0-20210622194025-720c4b409502 h1:34icjjmqJ2HP
 github.com/tailscale/depaware v0.0.0-20210622194025-720c4b409502/go.mod h1:p9lPsd+cx33L3H9nNoecRRxPssFKUwwI50I3pZ0yT+8=
 github.com/tailscale/goexpect v0.0.0-20210902213824-6e8c725cea41 h1:/V2rCMMWcsjYaYO2MeovLw+ClP63OtXgCF2Y1eb8+Ns=
 github.com/tailscale/goexpect v0.0.0-20210902213824-6e8c725cea41/go.mod h1:/roCdA6gg6lQyw/Oz6gIIGu3ggJKYhF+WC/AQReE5XQ=
-github.com/tailscale/golang-x-crypto v0.0.0-20230713185742-f0b76a10a08e h1:JyeJF/HuSwvxWtsR1c0oKX1lzaSH5Wh4aX+MgiStaGQ=
-github.com/tailscale/golang-x-crypto v0.0.0-20230713185742-f0b76a10a08e/go.mod h1:DjoeCULdP6vTJ/xY+nzzR9LaUHprkbZEpNidX0aqEEk=
+github.com/tailscale/golang-x-crypto v0.0.0-20221115211329-17a3db2c30d2 h1:pBpqbsyX9H8c26oPYC2H+232HOdp1gDnCztoKmKWKDA=
+github.com/tailscale/golang-x-crypto v0.0.0-20221115211329-17a3db2c30d2/go.mod h1:V2G8jyemEGZWKQ+3xNn4+bOx+FuoXU9Zc5GUsZMthBg=
 github.com/tailscale/goupnp v1.0.1-0.20210804011211-c64d0f06ea05 h1:4chzWmimtJPxRs2O36yuGRW3f9SYV+bMTTvMBI0EKio=
 github.com/tailscale/goupnp v1.0.1-0.20210804011211-c64d0f06ea05/go.mod h1:PdCqy9JzfWMJf1H5UJW2ip33/d4YkoKN0r67yKH1mG8=
 github.com/tailscale/hujson v0.0.0-20221223112325-20486734a56a h1:SJy1Pu0eH1C29XwJucQo73FrleVK6t4kYz4NVhp34Yw=
@@ -1064,8 +1064,8 @@ github.com/tailscale/mkctr v0.0.0-20220601142259-c0b937af2e89 h1:7xU7AFQE83h0wz/
 github.com/tailscale/mkctr v0.0.0-20220601142259-c0b937af2e89/go.mod h1:OGMqrTzDqmJkGumUTtOv44Rp3/4xS+QFbE8Rn0AGlaU=
 github.com/tailscale/netlink v1.1.1-0.20211101221916-cabfb018fe85 h1:zrsUcqrG2uQSPhaUPjUQwozcRdDdSxxqhNgNZ3drZFk=
 github.com/tailscale/netlink v1.1.1-0.20211101221916-cabfb018fe85/go.mod h1:NzVQi3Mleb+qzq8VmcWpSkcSYxXIg0DkI6XDzpVkhJ0=
-github.com/tailscale/wireguard-go v0.0.0-20230710185534-bb2c8f22eccf h1:bHQHwIHId353jAF2Lm0cGDjJpse/PYS0I0DTtihL9Ls=
-github.com/tailscale/wireguard-go v0.0.0-20230710185534-bb2c8f22eccf/go.mod h1:QRIcq2+DbdIC5sKh/gcAZhuqu6WT6L6G8/ALPN5wqYw=
+github.com/tailscale/wireguard-go v0.0.0-20230410165232-af172621b4dd h1:+fBevMGmDRNi0oWD4SJXmPKLWvIBYX1NroMjo9czjcY=
+github.com/tailscale/wireguard-go v0.0.0-20230410165232-af172621b4dd/go.mod h1:QRIcq2+DbdIC5sKh/gcAZhuqu6WT6L6G8/ALPN5wqYw=
 github.com/tc-hib/winres v0.2.0 h1:gly/ivDWGvlhl7ENtEmA7wPQ6dWab1LlLq/DgcZECKE=
 github.com/tc-hib/winres v0.2.0/go.mod h1:uG6S5M2Q0/kThoqsCSYvGJODUQP9O9R0SNxUPmFIegw=
 github.com/tcnksm/go-httpstat v0.2.0 h1:rP7T5e5U2HfmOBmZzGgGZjBQ5/GluWUylujl0tJ04I0=
@@ -1172,13 +1172,13 @@ go.uber.org/atomic v1.7.0/go.mod h1:fEN4uk6kAWBTFdckzkM89CLk9XfWZrxpCo0nPH17wJc=
 go.uber.org/atomic v1.11.0 h1:ZvwS0R+56ePWxUNi+Atn9dWONBPp/AUETXlHW0DxSjE=
 go.uber.org/atomic v1.11.0/go.mod h1:LUxbIzbOniOlMKjJjyPfpl4v+PKK2cNJn91OQbhoJI0=
 go.uber.org/goleak v1.1.10/go.mod h1:8a7PlsEVH3e/a/GLqe5IIrQx6GzcnRmZEufDUTk4A7A=
-go.uber.org/goleak v1.1.11/go.mod h1:cwTWslyiVhfpKIDGSZEM2HlOvcqm+tG4zioyIeLoqMQ=
-go.uber.org/goleak v1.2.1 h1:NBol2c7O1ZokfZ0LEU9K6Whx/KnwvepVetCUhtKja4A=
+go.uber.org/goleak v1.2.0 h1:xqgm/S+aQvhWFTtR0XK3Jvg7z8kGV8P4X14IzwN3Eqk=
 go.uber.org/multierr v1.1.0/go.mod h1:wR5kodmAFQ0UK8QlbwjlSNy0Z68gJhDJUG5sjR94q/0=
 go.uber.org/multierr v1.6.0/go.mod h1:cdWPpRnG4AhwMwsgIHip0KRBQjJy5kYEpYjJxpXp9iU=
 go.uber.org/multierr v1.11.0 h1:blXXJkSxSSfBVBlC76pxqeO+LN3aDfLQo+309xJstO0=
 go.uber.org/multierr v1.11.0/go.mod h1:20+QtiLqy0Nd6FdQB9TLXag12DsQkrbs3htMFfDN80Y=
 go.uber.org/zap v1.10.0/go.mod h1:vwi/ZaCAaUcBkycHslxD9B2zi4UTXhF60s6SWpuDF0Q=
+go.uber.org/zap v1.19.0/go.mod h1:xg/QME4nWcxGxrpdeYfq7UvYrLh66cuVKdrbD1XF/NI=
 go.uber.org/zap v1.24.0 h1:FiJd5l1UOLj0wCgbSE0rwwXHzEdAZS6hiiSnxJN/D60=
 go.uber.org/zap v1.24.0/go.mod h1:2kMP+WWQ8aoFoedH3T2sq6iJ2yDWpHbP0f6MQbS9Gkg=
 go4.org/mem v0.0.0-20220726221520-4f986261bf13 h1:CbZeCBZ0aZj8EfVgnqQcYZgf0lpZ3H9rmp5nkDTAst8=
@@ -1210,8 +1210,8 @@ golang.org/x/crypto v0.0.0-20220826181053-bd7e27e6170d/go.mod h1:IxCIyHEi3zRg3s0
 golang.org/x/crypto v0.1.0/go.mod h1:RecgLatLF4+eUMCP1PoPZQb+cVrJcOPbHkTkbkB9sbw=
 golang.org/x/crypto v0.6.0/go.mod h1:OFC/31mSvZgRz0V1QTNCzfAI1aIRzbiufJtkMIlEp58=
 golang.org/x/crypto v0.7.0/go.mod h1:pYwdfH91IfpZVANVyUOhSIPZaFoJGxTFbZhFTx+dXZU=
-golang.org/x/crypto v0.11.0 h1:6Ewdq3tDic1mg5xRO4milcWCfMVQhI4NkqWWvqejpuA=
-golang.org/x/crypto v0.11.0/go.mod h1:xgJhtzW8F9jGdVFWZESrid1U1bjeNy4zgy5cRr/CIio=
+golang.org/x/crypto v0.8.0 h1:pd9TJtTueMTVQXzk8E2XESSMQDj/U7OUu0PqJqPXQjQ=
+golang.org/x/crypto v0.8.0/go.mod h1:mRqEX+O9/h5TFCrQhkgjo2yKi0yYA+9ecGkdQoHrywE=
 golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/exp v0.0.0-20190306152737-a1d7652674e8/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/exp v0.0.0-20190510132918-efd6b22b2522/go.mod h1:ZjyILWgesfNpC6sMxTJOJm9Kp84zZh5NQWvqDGG3Qr8=
@@ -1316,8 +1316,8 @@ golang.org/x/net v0.5.0/go.mod h1:DivGGAXEgPSlEBzxGzZI+ZLohi+xUj054jfeKui00ws=
 golang.org/x/net v0.6.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs=
 golang.org/x/net v0.7.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs=
 golang.org/x/net v0.8.0/go.mod h1:QVkue5JL9kW//ek3r6jTKnTFis1tRmNAW2P1shuFdJc=
-golang.org/x/net v0.10.0 h1:X2//UzNDwYmtCLn7To6G58Wr6f5ahEAQgKNzv9Y951M=
-golang.org/x/net v0.10.0/go.mod h1:0qNGK6F8kojg2nk9dLZ2mShWaEBan6FAoqfSigmmuDg=
+golang.org/x/net v0.9.0 h1:aWJ/m6xSmxWBx+V0XRHTlrYrPG56jKsLdTFmsSsCzOM=
+golang.org/x/net v0.9.0/go.mod h1:d48xBJpPfHeWQsugry2m+kC02ZBRGRgulfHnEXEuWns=
 golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
 golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
 golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
@@ -1432,8 +1432,8 @@ golang.org/x/sys v0.4.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.4.1-0.20230131160137-e7d7f63158de/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.10.0 h1:SqMFp9UcQJZa+pmYuAKjd9xq1f0j5rLcDIk0mj4qAsA=
-golang.org/x/sys v0.10.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.8.0 h1:EBmGv8NaZBZTWvrbjNoL6HVt+IVy3QDQpJs7VRIw3tU=
+golang.org/x/sys v0.8.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/term v0.0.0-20201117132131-f5c789dd3221/go.mod h1:Nr5EML6q2oocZ2LXRh80K7BxOlk5/8JxuGnuhpl+muw=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
@@ -1444,8 +1444,8 @@ golang.org/x/term v0.3.0/go.mod h1:q750SLmJuPmVoN1blW3UFBPREJfb1KmY3vwxfr+nFDA=
 golang.org/x/term v0.4.0/go.mod h1:9P2UbLfCdcvo3p/nzKvsmas4TnlujnuoV9hGgYzW1lQ=
 golang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k=
 golang.org/x/term v0.6.0/go.mod h1:m6U89DPEgQRMq3DNkDClhWw02AUbt2daBVO4cn4Hv9U=
-golang.org/x/term v0.10.0 h1:3R7pNqamzBraeqj/Tj8qt1aQ2HpmlC+Cx/qL/7hn4/c=
-golang.org/x/term v0.10.0/go.mod h1:lpqdcUyK/oCiQxvxVrppt5ggO2KCZ5QblwqPnfZ6d5o=
+golang.org/x/term v0.7.0 h1:BEvjmm5fURWqcfbSKTdpkDXYBrUS1c0m8agp14W48vQ=
+golang.org/x/term v0.7.0/go.mod h1:P32HKFT3hSsZrRxla30E9HqToFYAQPCMs/zFMBUFqPY=
 golang.org/x/text v0.0.0-20170915032832-14c0d48ead0c/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
@@ -1460,9 +1460,8 @@ golang.org/x/text v0.5.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
 golang.org/x/text v0.6.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
 golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
 golang.org/x/text v0.8.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8=
+golang.org/x/text v0.9.0 h1:2sjJmO8cDvYveuX97RDLsxlyUxLl+GHoLxBiRdHllBE=
 golang.org/x/text v0.9.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8=
-golang.org/x/text v0.11.0 h1:LAntKIrcmeSKERyiOh0XMV39LXS8IE9UL2yP7+f5ij4=
-golang.org/x/text v0.11.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE=
 golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/time v0.0.0-20191024005414-555d28b269f0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
@@ -1567,8 +1566,8 @@ golang.org/x/tools v0.3.0/go.mod h1:/rWhSS2+zyEVwoJf8YAX6L2f0ntZ7Kn/mGgAWcipA5k=
 golang.org/x/tools v0.4.0/go.mod h1:UE5sM2OK9E/d67R0ANs2xJizIymRP5gJU295PvKXxjQ=
 golang.org/x/tools v0.5.0/go.mod h1:N+Kgy78s5I24c24dU8OfWNEotWjutIs8SnJvn5IDq+k=
 golang.org/x/tools v0.6.0/go.mod h1:Xwgl3UAJ/d3gWutnCtw505GrjyAbvKui8lOU390QaIU=
-golang.org/x/tools v0.9.1 h1:8WMNJAz3zrtPmnYC7ISf5dEn3MT0gY7jBJfw27yrrLo=
-golang.org/x/tools v0.9.1/go.mod h1:owI94Op576fPu3cIGQeHs3joujW/2Oc6MtlxbF5dfNc=
+golang.org/x/tools v0.8.0 h1:vSDcovVPld282ceKgDimkRSC8kpaH1dgyc9UMzlt84Y=
+golang.org/x/tools v0.8.0/go.mod h1:JxBZ99ISMI5ViVkT1tr6tdNmXeTrcpVSD3vZ1RsRdN4=
 golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
@@ -1577,8 +1576,8 @@ golang.zx2c4.com/wintun v0.0.0-20230126152724-0fa3db229ce2 h1:B82qJJgjvYKsXS9jeu
 golang.zx2c4.com/wintun v0.0.0-20230126152724-0fa3db229ce2/go.mod h1:deeaetjYA+DHMHg+sMSMI58GrEteJUUzzw7en6TJQcI=
 golang.zx2c4.com/wireguard/windows v0.5.3 h1:On6j2Rpn3OEMXqBq00QEDC7bWSZrPIHKIus8eIuExIE=
 golang.zx2c4.com/wireguard/windows v0.5.3/go.mod h1:9TEe8TJmtwyQebdFwAkEWOPr3prrtqm+REGFifP60hI=
-gomodules.xyz/jsonpatch/v2 v2.3.0 h1:8NFhfS6gzxNqjLIYnZxg319wZ5Qjnx4m/CcX+Klzazc=
-gomodules.xyz/jsonpatch/v2 v2.3.0/go.mod h1:AH3dM2RI6uoBZxn3LVrfvJ3E0/9dG4cSrbuBJT4moAY=
+gomodules.xyz/jsonpatch/v2 v2.2.0 h1:4pT439QV83L+G9FkcCriY6EkpcK6r6bK+A5FBUMI7qY=
+gomodules.xyz/jsonpatch/v2 v2.2.0/go.mod h1:WXp+iVDkoLQqPudfQ9GBlwB2eZ5DKOnjQZCYdOS8GPY=
 google.golang.org/api v0.4.0/go.mod h1:8k5glujaEP+g9n7WNsDg8QP6cUVNI86fCNMcbazEtwE=
 google.golang.org/api v0.7.0/go.mod h1:WtwebWUNSVBH/HAw79HIFXZNqEvBhG+Ra+ax0hx3E3M=
 google.golang.org/api v0.8.0/go.mod h1:o4eAsZoiT+ibD93RtjEohWalFOjRDx6CVaqeizhEnKg=
@@ -1710,6 +1709,7 @@ gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY=
 gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ=
 gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 gopkg.in/yaml.v3 v3.0.0-20200615113413-eeeca48fe776/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
+gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 gopkg.in/yaml.v3 v3.0.0/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
 gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
@@ -1734,16 +1734,16 @@ inet.af/tcpproxy v0.0.0-20221017015627-91f861402626 h1:2dMP3Ox/Wh5BiItwOt4jxRsfz
 inet.af/tcpproxy v0.0.0-20221017015627-91f861402626/go.mod h1:Tojt5kmHpDIR2jMojxzZK2w2ZR7OILODmUo2gaSwjrk=
 inet.af/wf v0.0.0-20221017222439-36129f591884 h1:zg9snq3Cpy50lWuVqDYM7AIRVTtU50y5WXETMFohW/Q=
 inet.af/wf v0.0.0-20221017222439-36129f591884/go.mod h1:bSAQ38BYbY68uwpasXOTZo22dKGy9SNvI6PZFeKomZE=
-k8s.io/api v0.27.2 h1:+H17AJpUMvl+clT+BPnKf0E3ksMAzoBBg7CntpSuADo=
-k8s.io/api v0.27.2/go.mod h1:ENmbocXfBT2ADujUXcBhHV55RIT31IIEvkntP6vZKS4=
-k8s.io/apiextensions-apiserver v0.27.2 h1:iwhyoeS4xj9Y7v8YExhUwbVuBhMr3Q4bd/laClBV6Bo=
-k8s.io/apiextensions-apiserver v0.27.2/go.mod h1:Oz9UdvGguL3ULgRdY9QMUzL2RZImotgxvGjdWRq6ZXQ=
-k8s.io/apimachinery v0.27.2 h1:vBjGaKKieaIreI+oQwELalVG4d8f3YAMNpWLzDXkxeg=
-k8s.io/apimachinery v0.27.2/go.mod h1:XNfZ6xklnMCOGGFNqXG7bUrQCoR04dh/E7FprV6pb+E=
-k8s.io/client-go v0.27.2 h1:vDLSeuYvCHKeoQRhCXjxXO45nHVv2Ip4Fe0MfioMrhE=
-k8s.io/client-go v0.27.2/go.mod h1:tY0gVmUsHrAmjzHX9zs7eCjxcBsf8IiNe7KQ52biTcQ=
-k8s.io/component-base v0.27.2 h1:neju+7s/r5O4x4/txeUONNTS9r1HsPbyoPBAtHsDCpo=
-k8s.io/component-base v0.27.2/go.mod h1:5UPk7EjfgrfgRIuDBFtsEFAe4DAvP3U+M8RTzoSJkpo=
+k8s.io/api v0.26.1 h1:f+SWYiPd/GsiWwVRz+NbFyCgvv75Pk9NK6dlkZgpCRQ=
+k8s.io/api v0.26.1/go.mod h1:xd/GBNgR0f707+ATNyPmQ1oyKSgndzXij81FzWGsejg=
+k8s.io/apiextensions-apiserver v0.26.1 h1:cB8h1SRk6e/+i3NOrQgSFij1B2S0Y0wDoNl66bn8RMI=
+k8s.io/apiextensions-apiserver v0.26.1/go.mod h1:AptjOSXDGuE0JICx/Em15PaoO7buLwTs0dGleIHixSM=
+k8s.io/apimachinery v0.26.1 h1:8EZ/eGJL+hY/MYCNwhmDzVqq2lPl3N3Bo8rvweJwXUQ=
+k8s.io/apimachinery v0.26.1/go.mod h1:tnPmbONNJ7ByJNz9+n9kMjNP8ON+1qoAIIC70lztu74=
+k8s.io/client-go v0.26.1 h1:87CXzYJnAMGaa/IDDfRdhTzxk/wzGZ+/HUQpqgVSZXU=
+k8s.io/client-go v0.26.1/go.mod h1:IWNSglg+rQ3OcvDkhY6+QLeasV4OYHDjdqeWkDQZwGE=
+k8s.io/component-base v0.26.1 h1:4ahudpeQXHZL5kko+iDHqLj/FSGAEUnSVO0EBbgDd+4=
+k8s.io/component-base v0.26.1/go.mod h1:VHrLR0b58oC035w6YQiBSbtsf0ThuSwXP+p5dD/kAWU=
 k8s.io/klog/v2 v2.100.1 h1:7WCHKK6K8fNhTqfBhISHQ97KrnJNFZMcQvKp7gP/tmg=
 k8s.io/klog/v2 v2.100.1/go.mod h1:y1WjHnz7Dj687irZUWR/WLkLc5N1YHtjLdmgWjndZn0=
 k8s.io/kube-openapi v0.0.0-20230501164219-8b0f38b5fd1f h1:2kWPakN3i/k81b0gvD5C5FJ2kxm1WrQFanWchyKuqGg=
@@ -1767,8 +1767,8 @@ rsc.io/binaryregexp v0.2.0/go.mod h1:qTv7/COck+e2FymRvadv62gMdZztPaShugOCi3I+8D8
 rsc.io/pdf v0.1.1/go.mod h1:n8OzWcQ6Sp37PL01nO98y4iUCRdTGarVfzxY20ICaU4=
 rsc.io/quote/v3 v3.1.0/go.mod h1:yEA65RcK8LyAZtP9Kv3t0HmxON59tX3rD+tICJqUlj0=
 rsc.io/sampler v1.3.0/go.mod h1:T1hPZKmBbMNahiBKFy5HrXp6adAjACjK9JXDnKaTXpA=
-sigs.k8s.io/controller-runtime v0.15.0 h1:ML+5Adt3qZnMSYxZ7gAverBLNPSMQEibtzAgp0UPojU=
-sigs.k8s.io/controller-runtime v0.15.0/go.mod h1:7ngYvp1MLT+9GeZ+6lH3LOlcHkp/+tzA/fmHa4iq9kk=
+sigs.k8s.io/controller-runtime v0.14.6 h1:oxstGVvXGNnMvY7TAESYk+lzr6S3V5VFxQ6d92KcwQA=
+sigs.k8s.io/controller-runtime v0.14.6/go.mod h1:WqIdsAY6JBsjfc/CqO0CORmNtoCtE4S6qbPc9s68h+0=
 sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd h1:EDPBXCAspyGV4jQlpZSudPeMmr1bNJefnuqLsRAsHZo=
 sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd/go.mod h1:B8JuhiUyNFVKdsE8h686QcCxMaH6HrOAZj4vswFpcB0=
 sigs.k8s.io/structured-merge-diff/v4 v4.2.3 h1:PRbqxJClWWYMNV1dhaG4NsibJbArud9kFxnAMREiWFE=
--- a/go.toolchain.branch
+++ b/go.toolchain.branch
@@ -1 +1 @@
-tailscale.go1.21
+tailscale.go1.20
--- a/go.toolchain.rev
+++ b/go.toolchain.rev
@@ -1 +1 @@
-a96a9eddc031c85f22378ef1e37e3fd7e9c482ef
+ddff070c02790cb571006e820e58cce9627569cf
--- a/health/healthmsg/healthmsg.go
+++ b/health/healthmsg/healthmsg.go
@@ -10,5 +10,4 @@ package healthmsg
 const (
 	WarnAcceptRoutesOff = "Some peers are advertising routes but --accept-routes is false"
 	TailscaleSSHOnBut   = "Tailscale SSH enabled, but " // + ... something from caller
-	LockedOut           = "this node is locked out; it will not have connectivity until it is signed. For more info, see https://tailscale.com/s/locked-out"
 )
--- a/hostinfo/hostinfo.go
+++ b/hostinfo/hostinfo.go
@@ -7,10 +7,8 @@ package hostinfo

 import (
 	"bufio"
-	"bytes"
 	"io"
 	"os"
-	"os/exec"
 	"runtime"
 	"runtime/debug"
 	"strings"
@@ -283,7 +281,7 @@ func inContainer() opt.Bool {
 		return nil
 	})
 	lineread.File("/proc/mounts", func(line []byte) error {
-		if mem.Contains(mem.B(line), mem.S("lxcfs /proc/cpuinfo fuse.lxcfs")) {
+		if mem.Contains(mem.B(line), mem.S("fuse.lxcfs")) {
 			ret.Set(true)
 			return io.EOF
 		}
@@ -436,12 +434,3 @@ func etcAptSourceFileIsDisabled(r io.Reader) bool {
 	}
 	return disabled
 }
-
-// IsSELinuxEnforcing reports whether SELinux is in "Enforcing" mode.
-func IsSELinuxEnforcing() bool {
-	if runtime.GOOS != "linux" {
-		return false
-	}
-	out, _ := exec.Command("getenforce").Output()
-	return string(bytes.TrimSpace(out)) == "Enforcing"
-}
--- a/ipn/ipn_clone.go
+++ b/ipn/ipn_clone.go
@@ -103,7 +103,6 @@ func (src *TCPPortHandler) Clone() *TCPPortHandler {
 // A compilation failure here means this code must be regenerated, with the command at the top of this file.
 var _TCPPortHandlerCloneNeedsRegeneration = TCPPortHandler(struct {
 	HTTPS        bool
-	HTTP         bool
 	TCPForward   string
 	TerminateTLS string
 }{})
--- a/ipn/ipn_view.go
+++ b/ipn/ipn_view.go
@@ -228,14 +228,12 @@ func (v *TCPPortHandlerView) UnmarshalJSON(b []byte) error {
 }

 func (v TCPPortHandlerView) HTTPS() bool          { return v.ж.HTTPS }
-func (v TCPPortHandlerView) HTTP() bool           { return v.ж.HTTP }
 func (v TCPPortHandlerView) TCPForward() string   { return v.ж.TCPForward }
 func (v TCPPortHandlerView) TerminateTLS() string { return v.ж.TerminateTLS }

 // A compilation failure here means this code must be regenerated, with the command at the top of this file.
 var _TCPPortHandlerViewNeedsRegeneration = TCPPortHandler(struct {
 	HTTPS        bool
-	HTTP         bool
 	TCPForward   string
 	TerminateTLS string
 }{})
--- a/ipn/ipnlocal/c2n.go
+++ b/ipn/ipnlocal/c2n.go
@@ -49,7 +49,7 @@ func (b *LocalBackend) handleC2N(w http.ResponseWriter, r *http.Request) {
 		}
 	case "/debug/goroutines":
 		w.Header().Set("Content-Type", "text/plain")
-		w.Write(goroutines.ScrubbedGoroutineDump(true))
+		w.Write(goroutines.ScrubbedGoroutineDump())
 	case "/debug/prefs":
 		writeJSON(b.Prefs())
 	case "/debug/metrics":
@@ -61,7 +61,7 @@ func (b *LocalBackend) handleC2N(w http.ResponseWriter, r *http.Request) {
 		if secs == 0 {
 			secs -= 1
 		}
-		until := b.clock.Now().Add(time.Duration(secs) * time.Second)
+		until := time.Now().Add(time.Duration(secs) * time.Second)
 		err := b.SetComponentDebugLogging(component, until)
 		var res struct {
 			Error string `json:",omitempty"`
--- a/ipn/ipnlocal/cert.go
+++ b/ipn/ipnlocal/cert.go
@@ -22,7 +22,6 @@ import (
 	"fmt"
 	"io"
 	"log"
-	insecurerand "math/rand"
 	"net"
 	"os"
 	"path/filepath"
@@ -31,8 +30,7 @@ import (
 	"sync"
 	"time"

-	"github.com/tailscale/golang-x-crypto/acme"
-	"golang.org/x/exp/slices"
+	"golang.org/x/crypto/acme"
 	"tailscale.com/atomicfile"
 	"tailscale.com/envknob"
 	"tailscale.com/hostinfo"
@@ -53,8 +51,8 @@ var (
 	// populate the on-disk cache and the rest should use that.
 	acmeMu sync.Mutex

-	renewMu     sync.Mutex // lock order: acmeMu before renewMu
-	renewCertAt = map[string]time.Time{}
+	renewMu        sync.Mutex // lock order: don't hold acmeMu and renewMu at the same time
+	lastRenewCheck = map[string]time.Time{}
 )

 // certDir returns (creating if needed) the directory in which cached
@@ -80,20 +78,14 @@ func (b *LocalBackend) certDir() (string, error) {

 var acmeDebug = envknob.RegisterBool("TS_DEBUG_ACME")

-// GetCertPEM gets the TLSCertKeyPair for domain, either from cache or via the
-// ACME process. ACME process is used for new domain certs, existing expired
-// certs or existing certs that should get renewed due to upcoming expiry.
-//
-// syncRenewal changes renewal behavior for existing certs that are still valid
-// but need renewal. When syncRenewal is set, the method blocks until a new
-// cert is issued. When syncRenewal is not set, existing cert is returned right
-// away and renewal is kicked off in a background goroutine.
-func (b *LocalBackend) GetCertPEM(ctx context.Context, domain string, syncRenewal bool) (*TLSCertKeyPair, error) {
+// getCertPEM gets the KeyPair for domain, either from cache, via the ACME
+// process, or from cache and kicking off an async ACME renewal.
+func (b *LocalBackend) GetCertPEM(ctx context.Context, domain string) (*TLSCertKeyPair, error) {
 	if !validLookingCertDomain(domain) {
 		return nil, errors.New("invalid domain")
 	}
 	logf := logger.WithPrefix(b.logf, fmt.Sprintf("cert(%q): ", domain))
-	now := b.clock.Now()
+	now := time.Now()
 	traceACME := func(v any) {
 		if !acmeDebug() {
 			return
@@ -108,18 +100,13 @@ func (b *LocalBackend) GetCertPEM(ctx context.Context, domain string, syncRenewa
 	}

 	if pair, err := getCertPEMCached(cs, domain, now); err == nil {
-		shouldRenew, err := b.shouldStartDomainRenewal(cs, domain, now, pair)
-		if err != nil {
-			logf("error checking for certificate renewal: %v", err)
-		} else if !shouldRenew {
-			return pair, nil
-		}
-		if !syncRenewal {
+		future := now.AddDate(0, 0, 14)
+		if b.shouldStartDomainRenewal(cs, domain, future) {
 			logf("starting async renewal")
 			// Start renewal in the background.
-			go b.getCertPEM(context.Background(), cs, logf, traceACME, domain, now)
+			go b.getCertPEM(context.Background(), cs, logf, traceACME, domain, future)
 		}
-		// Synchronous renewal happens below.
+		return pair, nil
 	}

 	pair, err := b.getCertPEM(ctx, cs, logf, traceACME, domain, now)
@@ -130,91 +117,18 @@ func (b *LocalBackend) GetCertPEM(ctx context.Context, domain string, syncRenewa
 	return pair, nil
 }

-func (b *LocalBackend) shouldStartDomainRenewal(cs certStore, domain string, now time.Time, pair *TLSCertKeyPair) (bool, error) {
+func (b *LocalBackend) shouldStartDomainRenewal(cs certStore, domain string, future time.Time) bool {
 	renewMu.Lock()
 	defer renewMu.Unlock()
-	if renewAt, ok := renewCertAt[domain]; ok {
-		return now.After(renewAt), nil
+	now := time.Now()
+	if last, ok := lastRenewCheck[domain]; ok && now.Sub(last) < time.Minute {
+		// We checked very recently. Don't bother reparsing &
+		// validating the x509 cert.
+		return false
 	}
-
-	renewTime, err := b.domainRenewalTimeByARI(cs, pair)
-	if err != nil {
-		// Log any ARI failure and fall back to checking for renewal by expiry.
-		b.logf("acme: ARI check failed: %v; falling back to expiry-based check", err)
-		renewTime, err = b.domainRenewalTimeByExpiry(pair)
-		if err != nil {
-			return false, err
-		}
-	}
-
-	renewCertAt[domain] = renewTime
-	return now.After(renewTime), nil
-}
-
-func (b *LocalBackend) domainRenewed(domain string) {
-	renewMu.Lock()
-	defer renewMu.Unlock()
-	delete(renewCertAt, domain)
-}
-
-func (b *LocalBackend) domainRenewalTimeByExpiry(pair *TLSCertKeyPair) (time.Time, error) {
-	block, _ := pem.Decode(pair.CertPEM)
-	if block == nil {
-		return time.Time{}, fmt.Errorf("parsing certificate PEM")
-	}
-	cert, err := x509.ParseCertificate(block.Bytes)
-	if err != nil {
-		return time.Time{}, fmt.Errorf("parsing certificate: %w", err)
-	}
-
-	certLifetime := cert.NotAfter.Sub(cert.NotBefore)
-	if certLifetime < 0 {
-		return time.Time{}, fmt.Errorf("negative certificate lifetime %v", certLifetime)
-	}
-
-	// Per https://github.com/tailscale/tailscale/issues/8204, check
-	// whether we're more than 2/3 of the way through the certificate's
-	// lifetime, which is the officially-recommended best practice by Let's
-	// Encrypt.
-	renewalDuration := certLifetime * 2 / 3
-	renewAt := cert.NotBefore.Add(renewalDuration)
-	return renewAt, nil
-}
-
-func (b *LocalBackend) domainRenewalTimeByARI(cs certStore, pair *TLSCertKeyPair) (time.Time, error) {
-	var blocks []*pem.Block
-	rest := pair.CertPEM
-	for len(rest) > 0 {
-		var block *pem.Block
-		block, rest = pem.Decode(rest)
-		if block == nil {
-			return time.Time{}, fmt.Errorf("parsing certificate PEM")
-		}
-		blocks = append(blocks, block)
-	}
-	if len(blocks) < 2 {
-		return time.Time{}, fmt.Errorf("could not parse certificate chain from certStore, got %d PEM block(s)", len(blocks))
-	}
-	ac, err := acmeClient(cs)
-	if err != nil {
-		return time.Time{}, err
-	}
-	ctx, cancel := context.WithTimeout(b.ctx, 5*time.Second)
-	defer cancel()
-	ri, err := ac.FetchRenewalInfo(ctx, blocks[0].Bytes, blocks[1].Bytes)
-	if err != nil {
-		return time.Time{}, fmt.Errorf("failed to fetch renewal info from ACME server: %w", err)
-	}
-	if acmeDebug() {
-		b.logf("acme: ARI response: %+v", ri)
-	}
-
-	// Select a random time in the suggested window and renew if that time has
-	// passed. Time is randomized per recommendation in
-	// https://datatracker.ietf.org/doc/draft-ietf-acme-ari/
-	start, end := ri.SuggestedWindow.Start, ri.SuggestedWindow.End
-	renewTime := start.Add(time.Duration(insecurerand.Int63n(int64(end.Sub(start)))))
-	return renewTime, nil
+	lastRenewCheck[domain] = now
+	_, err := getCertPEMCached(cs, domain, future)
+	return errors.Is(err, errCertExpired)
 }

 // certStore provides a way to perist and retrieve TLS certificates.
@@ -382,25 +296,19 @@ func (b *LocalBackend) getCertPEM(ctx context.Context, cs certStore, logf logger
 	acmeMu.Lock()
 	defer acmeMu.Unlock()

-	// In case this method was triggered multiple times in parallel (when
-	// serving incoming requests), check whether one of the other goroutines
-	// already renewed the cert before us.
 	if p, err := getCertPEMCached(cs, domain, now); err == nil {
-		// shouldStartDomainRenewal caches its result so it's OK to call this
-		// frequently.
-		shouldRenew, err := b.shouldStartDomainRenewal(cs, domain, now, p)
-		if err != nil {
-			logf("error checking for certificate renewal: %v", err)
-		} else if !shouldRenew {
-			return p, nil
-		}
+		return p, nil
 	} else if !errors.Is(err, ipn.ErrStateNotExist) && !errors.Is(err, errCertExpired) {
 		return nil, err
 	}

-	ac, err := acmeClient(cs)
+	key, err := acmeKey(cs)
 	if err != nil {
-		return nil, err
+		return nil, fmt.Errorf("acmeKey: %w", err)
+	}
+	ac := &acme.Client{
+		Key:       key,
+		UserAgent: "tailscaled/" + version.Long(),
 	}

 	a, err := ac.GetReg(ctx, "" /* pre-RFC param */)
@@ -453,16 +361,17 @@ func (b *LocalBackend) getCertPEM(ctx context.Context, cs certStore, logf logger
 				}
 				key := "_acme-challenge." + domain

-				// Do a best-effort lookup to see if we've already created this DNS name
-				// in a previous attempt. Don't burn too much time on it, though. Worst
-				// case we ask the server to create something that already exists.
 				var resolver net.Resolver
-				lookupCtx, lookupCancel := context.WithTimeout(ctx, 500*time.Millisecond)
-				txts, _ := resolver.LookupTXT(lookupCtx, key)
-				lookupCancel()
-				if slices.Contains(txts, rec) {
-					logf("TXT record already existed")
-				} else {
+				var ok bool
+				txts, _ := resolver.LookupTXT(ctx, key)
+				for _, txt := range txts {
+					if txt == rec {
+						ok = true
+						logf("TXT record already existed")
+						break
+					}
+				}
+				if !ok {
 					logf("starting SetDNS call...")
 					err = b.SetDNS(ctx, key, rec)
 					if err != nil {
@@ -530,7 +439,6 @@ func (b *LocalBackend) getCertPEM(ctx context.Context, cs certStore, logf logger
 	if err := cs.WriteCert(domain, certPEM.Bytes()); err != nil {
 		return nil, err
 	}
-	b.domainRenewed(domain)

 	return &TLSCertKeyPair{CertPEM: certPEM.Bytes(), KeyPEM: privPEM.Bytes()}, nil
 }
@@ -607,20 +515,6 @@ func acmeKey(cs certStore) (crypto.Signer, error) {
 	return privKey, nil
 }

-func acmeClient(cs certStore) (*acme.Client, error) {
-	key, err := acmeKey(cs)
-	if err != nil {
-		return nil, fmt.Errorf("acmeKey: %w", err)
-	}
-	// Note: if we add support for additional ACME providers (other than
-	// LetsEncrypt), we should make sure that they support ARI extension (see
-	// shouldStartDomainRenewalARI).
-	return &acme.Client{
-		Key:       key,
-		UserAgent: "tailscaled/" + version.Long(),
-	}, nil
-}
-
 // validCertPEM reports whether the given certificate is valid for domain at now.
 //
 // If roots != nil, it is used instead of the system root pool. This is meant
--- a/ipn/ipnlocal/cert_js.go
+++ b/ipn/ipnlocal/cert_js.go
@@ -12,6 +12,6 @@ type TLSCertKeyPair struct {
 	CertPEM, KeyPEM []byte
 }

-func (b *LocalBackend) GetCertPEM(ctx context.Context, domain string, syncRenewal bool) (*TLSCertKeyPair, error) {
+func (b *LocalBackend) GetCertPEM(ctx context.Context, domain string) (*TLSCertKeyPair, error) {
 	return nil, errors.New("not implemented for js/wasm")
 }
--- a/ipn/ipnlocal/cert_test.go
+++ b/ipn/ipnlocal/cert_test.go
@@ -6,19 +6,12 @@
 package ipnlocal

 import (
-	"crypto/ecdsa"
-	"crypto/elliptic"
-	"crypto/rand"
 	"crypto/x509"
-	"crypto/x509/pkix"
 	"embed"
-	"encoding/pem"
-	"math/big"
 	"testing"
 	"time"

 	"github.com/google/go-cmp/cmp"
-	"golang.org/x/exp/maps"
 	"tailscale.com/ipn/store/mem"
 )

@@ -107,96 +100,3 @@ func TestCertStoreRoundTrip(t *testing.T) {
 		})
 	}
 }
-
-func TestShouldStartDomainRenewal(t *testing.T) {
-	reset := func() {
-		renewMu.Lock()
-		defer renewMu.Unlock()
-		maps.Clear(renewCertAt)
-	}
-
-	mustMakePair := func(template *x509.Certificate) *TLSCertKeyPair {
-		priv, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
-		if err != nil {
-			panic(err)
-		}
-
-		b, err := x509.CreateCertificate(rand.Reader, template, template, &priv.PublicKey, priv)
-		if err != nil {
-			panic(err)
-		}
-		certPEM := pem.EncodeToMemory(&pem.Block{
-			Type:  "CERTIFICATE",
-			Bytes: b,
-		})
-
-		return &TLSCertKeyPair{
-			Cached:  false,
-			CertPEM: certPEM,
-			KeyPEM:  []byte("unused"),
-		}
-	}
-
-	now := time.Unix(1685714838, 0)
-	subject := pkix.Name{
-		Organization:  []string{"Tailscale, Inc."},
-		Country:       []string{"CA"},
-		Province:      []string{"ON"},
-		Locality:      []string{"Toronto"},
-		StreetAddress: []string{"290 Bremner Blvd"},
-		PostalCode:    []string{"M5V 3L9"},
-	}
-
-	testCases := []struct {
-		name      string
-		notBefore time.Time
-		lifetime  time.Duration
-		want      bool
-		wantErr   string
-	}{
-		{
-			name:      "should renew",
-			notBefore: now.AddDate(0, 0, -89),
-			lifetime:  90 * 24 * time.Hour,
-			want:      true,
-		},
-		{
-			name:      "short-lived renewal",
-			notBefore: now.AddDate(0, 0, -7),
-			lifetime:  10 * 24 * time.Hour,
-			want:      true,
-		},
-		{
-			name:      "no renew",
-			notBefore: now.AddDate(0, 0, -59), // 59 days ago == not 2/3rds of the way through 90 days yet
-			lifetime:  90 * 24 * time.Hour,
-			want:      false,
-		},
-	}
-	b := new(LocalBackend)
-	for _, tt := range testCases {
-		t.Run(tt.name, func(t *testing.T) {
-			reset()
-
-			ret, err := b.domainRenewalTimeByExpiry(mustMakePair(&x509.Certificate{
-				SerialNumber: big.NewInt(2019),
-				Subject:      subject,
-				NotBefore:    tt.notBefore,
-				NotAfter:     tt.notBefore.Add(tt.lifetime),
-			}))
-
-			if tt.wantErr != "" {
-				if err == nil {
-					t.Errorf("wanted error, got nil")
-				} else if err.Error() != tt.wantErr {
-					t.Errorf("got err=%q, want %q", err.Error(), tt.wantErr)
-				}
-			} else {
-				renew := now.After(ret)
-				if renew != tt.want {
-					t.Errorf("got renew=%v (ret=%v), want renew %v", renew, ret, tt.want)
-				}
-			}
-		})
-	}
-}
--- a/ipn/ipnlocal/dnsconfig_test.go
+++ b/ipn/ipnlocal/dnsconfig_test.go
@@ -16,7 +16,6 @@ import (
 	"tailscale.com/types/dnstype"
 	"tailscale.com/types/netmap"
 	"tailscale.com/util/cloudenv"
-	"tailscale.com/util/cmpx"
 	"tailscale.com/util/dnsname"
 )

@@ -309,7 +308,10 @@ func TestDNSConfigForNetmap(t *testing.T) {
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
-			verOS := cmpx.Or(tt.os, "linux")
+			verOS := tt.os
+			if verOS == "" {
+				verOS = "linux"
+			}
 			var log tstest.MemLogger
 			got := dnsConfigForNetmap(tt.nm, tt.prefs.View(), log.Logf, verOS)
 			if !reflect.DeepEqual(got, tt.want) {
--- a/ipn/ipnlocal/expiry.go
+++ b/ipn/ipnlocal/expiry.go
@@ -8,7 +8,6 @@ import (

 	"tailscale.com/syncs"
 	"tailscale.com/tailcfg"
-	"tailscale.com/tstime"
 	"tailscale.com/types/key"
 	"tailscale.com/types/logger"
 	"tailscale.com/types/netmap"
@@ -38,22 +37,22 @@ type expiryManager struct {
 	//    time.Now().Add(clockDelta) == MapResponse.ControlTime
 	clockDelta syncs.AtomicValue[time.Duration]

-	logf  logger.Logf
-	clock tstime.Clock
+	logf    logger.Logf
+	timeNow func() time.Time
 }

 func newExpiryManager(logf logger.Logf) *expiryManager {
 	return &expiryManager{
 		previouslyExpired: map[tailcfg.StableNodeID]bool{},
 		logf:              logf,
-		clock:             tstime.StdClock{},
+		timeNow:           time.Now,
 	}
 }

 // onControlTime is called whenever we receive a new timestamp from the control
 // server to store the delta.
 func (em *expiryManager) onControlTime(t time.Time) {
-	localNow := em.clock.Now()
+	localNow := em.timeNow()
 	delta := t.Sub(localNow)
 	if delta.Abs() > minClockDelta {
 		em.logf("[v1] netmap: flagExpiredPeers: setting clock delta to %v", delta)
--- a/ipn/ipnlocal/expiry_test.go
+++ b/ipn/ipnlocal/expiry_test.go
@@ -11,7 +11,6 @@ import (
 	"time"

 	"tailscale.com/tailcfg"
-	"tailscale.com/tstest"
 	"tailscale.com/types/key"
 	"tailscale.com/types/netmap"
 )
@@ -111,7 +110,8 @@ func TestFlagExpiredPeers(t *testing.T) {
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			em := newExpiryManager(t.Logf)
-			em.clock = tstest.NewClock(tstest.ClockOpts{Start: now})
+			em.timeNow = func() time.Time { return now }
+
 			if tt.controlTime != nil {
 				em.onControlTime(*tt.controlTime)
 			}
@@ -241,7 +241,7 @@ func TestNextPeerExpiry(t *testing.T) {
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			em := newExpiryManager(t.Logf)
-			em.clock = tstest.NewClock(tstest.ClockOpts{Start: now})
+			em.timeNow = func() time.Time { return now }
 			got := em.nextPeerExpiry(tt.netmap, now)
 			if !got.Equal(tt.want) {
 				t.Errorf("got %q, want %q", got.Format(time.RFC3339), tt.want.Format(time.RFC3339))
@@ -254,7 +254,7 @@ func TestNextPeerExpiry(t *testing.T) {
 	t.Run("ClockSkew", func(t *testing.T) {
 		t.Logf("local time:  %q", now.Format(time.RFC3339))
 		em := newExpiryManager(t.Logf)
-		em.clock = tstest.NewClock(tstest.ClockOpts{Start: now})
+		em.timeNow = func() time.Time { return now }

 		// The local clock is "running fast"; our clock skew is -2h
 		em.clockDelta.Store(-2 * time.Hour)
--- a/ipn/ipnlocal/local.go
+++ b/ipn/ipnlocal/local.go
@@ -4,6 +4,7 @@
 package ipnlocal

 import (
+	"bytes"
 	"context"
 	"encoding/base64"
 	"encoding/json"
@@ -17,6 +18,7 @@ import (
 	"net/netip"
 	"net/url"
 	"os"
+	"os/exec"
 	"os/user"
 	"path/filepath"
 	"runtime"
@@ -30,7 +32,6 @@ import (
 	"go4.org/mem"
 	"go4.org/netipx"
 	"golang.org/x/exp/slices"
-	"gvisor.dev/gvisor/pkg/tcpip"
 	"tailscale.com/client/tailscale/apitype"
 	"tailscale.com/control/controlclient"
 	"tailscale.com/doctor"
@@ -59,8 +60,6 @@ import (
 	"tailscale.com/syncs"
 	"tailscale.com/tailcfg"
 	"tailscale.com/tka"
-	"tailscale.com/tsd"
-	"tailscale.com/tstime"
 	"tailscale.com/types/dnstype"
 	"tailscale.com/types/empty"
 	"tailscale.com/types/key"
@@ -71,7 +70,6 @@ import (
 	"tailscale.com/types/preftype"
 	"tailscale.com/types/ptr"
 	"tailscale.com/types/views"
-	"tailscale.com/util/cmpx"
 	"tailscale.com/util/deephash"
 	"tailscale.com/util/dnsname"
 	"tailscale.com/util/mak"
@@ -139,11 +137,10 @@ type LocalBackend struct {
 	logf                  logger.Logf        // general logging
 	keyLogf               logger.Logf        // for printing list of peers on change
 	statsLogf             logger.Logf        // for printing peers stats on change
-	sys                   *tsd.System
-	e                     wgengine.Engine // non-nil; TODO(bradfitz): remove; use sys
+	e                     wgengine.Engine
 	pm                    *profileManager
-	store                 ipn.StateStore // non-nil; TODO(bradfitz): remove; use sys
-	dialer                *tsdial.Dialer // non-nil; TODO(bradfitz): remove; use sys
+	store                 ipn.StateStore
+	dialer                *tsdial.Dialer // non-nil
 	backendLogID          logid.PublicID
 	unregisterNetMon      func()
 	unregisterHealthWatch func()
@@ -202,7 +199,7 @@ type LocalBackend struct {
 	hostinfo *tailcfg.Hostinfo
 	// netMap is not mutated in-place once set.
 	netMap           *netmap.NetworkMap
-	nmExpiryTimer    tstime.TimerController // for updating netMap on node expiry; can be nil
+	nmExpiryTimer    *time.Timer // for updating netMap on node expiry; can be nil
 	nodeByAddr       map[netip.Addr]*tailcfg.Node
 	activeLogin      string // last logged LoginName from netMap
 	engineStatus     ipn.EngineStatus
@@ -260,7 +257,6 @@ type LocalBackend struct {
 	// tkaSyncLock MUST be taken before mu (or inversely, mu must not be held
 	// at the moment that tkaSyncLock is taken).
 	tkaSyncLock sync.Mutex
-	clock       tstime.Clock
 }

 // clientGen is a func that creates a control plane client.
@@ -271,10 +267,10 @@ type clientGen func(controlclient.Options) (controlclient.Client, error)
 // but is not actually running.
 //
 // If dialer is nil, a new one is made.
-func NewLocalBackend(logf logger.Logf, logID logid.PublicID, sys *tsd.System, loginFlags controlclient.LoginFlags) (*LocalBackend, error) {
-	e := sys.Engine.Get()
-	store := sys.StateStore.Get()
-	dialer := sys.Dialer.Get()
+func NewLocalBackend(logf logger.Logf, logID logid.PublicID, store ipn.StateStore, dialer *tsdial.Dialer, e wgengine.Engine, loginFlags controlclient.LoginFlags) (*LocalBackend, error) {
+	if e == nil {
+		panic("ipn.NewLocalBackend: engine must not be nil")
+	}

 	pm, err := newProfileManager(store, logf)
 	if err != nil {
@@ -294,31 +290,30 @@ func NewLocalBackend(logf logger.Logf, logID logid.PublicID, sys *tsd.System, lo
 	osshare.SetFileSharingEnabled(false, logf)

 	ctx, cancel := context.WithCancel(context.Background())
-	portpoll := new(portlist.Poller)
-	clock := tstime.StdClock{}
+	portpoll, err := portlist.NewPoller()
+	if err != nil {
+		logf("skipping portlist: %s", err)
+	}

 	b := &LocalBackend{
 		ctx:            ctx,
 		ctxCancel:      cancel,
 		logf:           logf,
-		keyLogf:        logger.LogOnChange(logf, 5*time.Minute, clock.Now),
-		statsLogf:      logger.LogOnChange(logf, 5*time.Minute, clock.Now),
-		sys:            sys,
+		keyLogf:        logger.LogOnChange(logf, 5*time.Minute, time.Now),
+		statsLogf:      logger.LogOnChange(logf, 5*time.Minute, time.Now),
 		e:              e,
-		dialer:         dialer,
-		store:          store,
 		pm:             pm,
+		store:          store,
+		dialer:         dialer,
 		backendLogID:   logID,
 		state:          ipn.NoState,
 		portpoll:       portpoll,
 		em:             newExpiryManager(logf),
 		gotPortPollRes: make(chan struct{}),
 		loginFlags:     loginFlags,
-		clock:          clock,
 	}

-	netMon := sys.NetMon.Get()
-	b.sockstatLogger, err = sockstatlog.NewLogger(logpolicy.LogsDir(logf), logf, logID, netMon)
+	b.sockstatLogger, err = sockstatlog.NewLogger(logpolicy.LogsDir(logf), logf, logID, e.GetNetMon())
 	if err != nil {
 		log.Printf("error setting up sockstat logger: %v", err)
 	}
@@ -335,6 +330,7 @@ func NewLocalBackend(logf logger.Logf, logID logid.PublicID, sys *tsd.System, lo
 	b.statusChanged = sync.NewCond(&b.statusLock)
 	b.e.SetStatusCallback(b.setWgengineStatus)

+	netMon := e.GetNetMon()
 	b.prevIfState = netMon.InterfaceState()
 	// Call our linkChange code once with the current state, and
 	// then also whenever it changes:
@@ -343,16 +339,21 @@ func NewLocalBackend(logf logger.Logf, logID logid.PublicID, sys *tsd.System, lo

 	b.unregisterHealthWatch = health.RegisterWatcher(b.onHealthChange)

-	if tunWrap, ok := b.sys.Tun.GetOK(); ok {
-		tunWrap.PeerAPIPort = b.GetPeerAPIPort
-	} else {
+	wiredPeerAPIPort := false
+	if ig, ok := e.(wgengine.InternalsGetter); ok {
+		if tunWrap, _, _, ok := ig.GetInternals(); ok {
+			tunWrap.PeerAPIPort = b.GetPeerAPIPort
+			wiredPeerAPIPort = true
+		}
+	}
+	if !wiredPeerAPIPort {
 		b.logf("[unexpected] failed to wire up PeerAPI port for engine %T", e)
 	}

 	for _, component := range debuggableComponents {
 		key := componentStateKey(component)
 		if ut, err := ipn.ReadStoreInt(pm.Store(), key); err == nil {
-			if until := time.Unix(ut, 0); until.After(b.clock.Now()) {
+			if until := time.Unix(ut, 0); until.After(time.Now()) {
 				// conditional to avoid log spam at start when off
 				b.SetComponentDebugLogging(component, until)
 			}
@@ -364,7 +365,7 @@ func NewLocalBackend(logf logger.Logf, logID logid.PublicID, sys *tsd.System, lo

 type componentLogState struct {
 	until time.Time
-	timer tstime.TimerController // if non-nil, the AfterFunc to disable it
+	timer *time.Timer // if non-nil, the AfterFunc to disable it
 }

 var debuggableComponents = []string{
@@ -417,7 +418,7 @@ func (b *LocalBackend) SetComponentDebugLogging(component string, until time.Tim
 		return t.Unix()
 	}
 	ipn.PutStoreInt(b.store, componentStateKey(component), timeUnixOrZero(until))
-	now := b.clock.Now()
+	now := time.Now()
 	on := now.Before(until)
 	setEnabled(on)
 	var onFor time.Duration
@@ -432,7 +433,7 @@ func (b *LocalBackend) SetComponentDebugLogging(component string, until time.Tim
 	}
 	newSt := componentLogState{until: until}
 	if on {
-		newSt.timer = b.clock.AfterFunc(onFor, func() {
+		newSt.timer = time.AfterFunc(onFor, func() {
 			// Turn off logging after the timer fires, as long as the state is
 			// unchanged when the timer actually fires.
 			b.mu.Lock()
@@ -454,7 +455,7 @@ func (b *LocalBackend) GetComponentDebugLogging(component string) time.Time {
 	b.mu.Lock()
 	defer b.mu.Unlock()

-	now := b.clock.Now()
+	now := time.Now()
 	ls := b.componentLogUntil[component]
 	if ls.until.IsZero() || ls.until.Before(now) {
 		return time.Time{}
@@ -463,7 +464,6 @@ func (b *LocalBackend) GetComponentDebugLogging(component string) time.Time {
 }

 // Dialer returns the backend's dialer.
-// It is always non-nil.
 func (b *LocalBackend) Dialer() *tsdial.Dialer {
 	return b.dialer
 }
@@ -644,7 +644,7 @@ func (b *LocalBackend) updateStatus(sb *ipnstate.StatusBuilder, extraLocked func
 	defer b.mu.Unlock()
 	sb.MutateStatus(func(s *ipnstate.Status) {
 		s.Version = version.Long()
-		s.TUN = !b.sys.IsNetstack()
+		s.TUN = !wgengine.IsNetstack(b.e)
 		s.BackendState = b.state.String()
 		s.AuthURL = b.authURLSticky
 		if err := health.OverallError(); err != nil {
@@ -746,12 +746,12 @@ func (b *LocalBackend) populatePeerStatusLocked(sb *ipnstate.StatusBuilder) {
 			HostName:     p.Hostinfo.Hostname(),
 			DNSName:      p.Name,
 			OS:           p.Hostinfo.OS(),
+			KeepAlive:    p.KeepAlive,
 			LastSeen:     lastSeen,
 			Online:       p.Online != nil && *p.Online,
 			ShareeNode:   p.Hostinfo.ShareeNode(),
 			ExitNode:     p.StableID != "" && p.StableID == exitNodeID,
 			SSH_HostKeys: p.Hostinfo.SSH_HostKeys().AsSlice(),
-			Location:     p.Hostinfo.Location(),
 		}
 		peerStatusFromNode(ps, p)

@@ -819,13 +819,13 @@ func (b *LocalBackend) WhoIs(ipp netip.AddrPort) (n *tailcfg.Node, u tailcfg.Use

 // PeerCaps returns the capabilities that remote src IP has to
 // ths current node.
-func (b *LocalBackend) PeerCaps(src netip.Addr) tailcfg.PeerCapMap {
+func (b *LocalBackend) PeerCaps(src netip.Addr) []string {
 	b.mu.Lock()
 	defer b.mu.Unlock()
 	return b.peerCapsLocked(src)
 }

-func (b *LocalBackend) peerCapsLocked(src netip.Addr) tailcfg.PeerCapMap {
+func (b *LocalBackend) peerCapsLocked(src netip.Addr) []string {
 	if b.netMap == nil {
 		return nil
 	}
@@ -839,7 +839,7 @@ func (b *LocalBackend) peerCapsLocked(src netip.Addr) tailcfg.PeerCapMap {
 		}
 		dst := a.Addr()
 		if dst.BitLen() == src.BitLen() { // match on family
-			return filt.CapsWithValues(src, dst)
+			return filt.AppendCaps(nil, src, dst)
 		}
 	}
 	return nil
@@ -881,7 +881,7 @@ func (b *LocalBackend) setClientStatus(st controlclient.Status) {

 	// Handle node expiry in the netmap
 	if st.NetMap != nil {
-		now := b.clock.Now()
+		now := time.Now()
 		b.em.flagExpiredPeers(st.NetMap, now)

 		// Always stop the existing netmap timer if we have a netmap;
@@ -901,7 +901,7 @@ func (b *LocalBackend) setClientStatus(st controlclient.Status) {
 		nextExpiry := b.em.nextPeerExpiry(st.NetMap, now)
 		if !nextExpiry.IsZero() {
 			tmrDuration := nextExpiry.Sub(now) + 10*time.Second
-			b.nmExpiryTimer = b.clock.AfterFunc(tmrDuration, func() {
+			b.nmExpiryTimer = time.AfterFunc(tmrDuration, func() {
 				// Skip if the world has moved on past the
 				// saved call (e.g. if we race stopping this
 				// timer).
@@ -923,7 +923,7 @@ func (b *LocalBackend) setClientStatus(st controlclient.Status) {
 	keyExpiryExtended := false
 	if st.NetMap != nil {
 		wasExpired := b.keyExpired
-		isExpired := !st.NetMap.Expiry.IsZero() && st.NetMap.Expiry.Before(b.clock.Now())
+		isExpired := !st.NetMap.Expiry.IsZero() && st.NetMap.Expiry.Before(time.Now())
 		if wasExpired && !isExpired {
 			keyExpiryExtended = true
 		}
@@ -1018,7 +1018,7 @@ func (b *LocalBackend) setClientStatus(st controlclient.Status) {

 	// Perform all reconfiguration based on the netmap here.
 	if st.NetMap != nil {
-		b.capTailnetLock = hasCapability(st.NetMap, tailcfg.CapabilityTailnetLock)
+		b.capTailnetLock = hasCapability(st.NetMap, tailcfg.CapabilityTailnetLockAlpha)

 		b.mu.Unlock() // respect locking rules for tkaSyncIfNeeded
 		if err := b.tkaSyncIfNeeded(st.NetMap, prefs.View()); err != nil {
@@ -1315,8 +1315,8 @@ func (b *LocalBackend) Start(opts ipn.Options) error {
 	hostinfo := hostinfo.New()
 	hostinfo.BackendLogID = b.backendLogID.String()
 	hostinfo.FrontendLogID = opts.FrontendLogID
-	hostinfo.Userspace.Set(b.sys.IsNetstack())
-	hostinfo.UserspaceRouter.Set(b.sys.IsNetstackRouter())
+	hostinfo.Userspace.Set(wgengine.IsNetstack(b.e))
+	hostinfo.UserspaceRouter.Set(wgengine.IsNetstackRouter(b.e))

 	if b.cc != nil {
 		// TODO(apenwarr): avoid the need to reinit controlclient.
@@ -1378,19 +1378,20 @@ func (b *LocalBackend) Start(opts ipn.Options) error {

 	if b.portpoll != nil {
 		b.portpollOnce.Do(func() {
+			go b.portpoll.Run(b.ctx)
 			go b.readPoller()

 			// Give the poller a second to get results to
 			// prevent it from restarting our map poll
 			// HTTP request (via doSetHostinfoFilterServices >
 			// cli.SetHostinfo). In practice this is very quick.
-			t0 := b.clock.Now()
-			timer, timerChannel := b.clock.NewTimer(time.Second)
+			t0 := time.Now()
+			timer := time.NewTimer(time.Second)
 			select {
 			case <-b.gotPortPollRes:
-				b.logf("[v1] got initial portlist info in %v", b.clock.Since(t0).Round(time.Millisecond))
+				b.logf("[v1] got initial portlist info in %v", time.Since(t0).Round(time.Millisecond))
 				timer.Stop()
-			case <-timerChannel:
+			case <-timer.C:
 				b.logf("timeout waiting for initial portlist")
 			}
 		})
@@ -1400,7 +1401,7 @@ func (b *LocalBackend) Start(opts ipn.Options) error {

 	var err error

-	isNetstack := b.sys.IsNetstackRouter()
+	isNetstack := wgengine.IsNetstackRouter(b.e)
 	debugFlags := controlDebugFlags
 	if isNetstack {
 		debugFlags = append([]string{"netstack"}, debugFlags...)
@@ -1422,7 +1423,7 @@ func (b *LocalBackend) Start(opts ipn.Options) error {
 		HTTPTestClient:       httpTestClient,
 		DiscoPublicKey:       discoPublic,
 		DebugFlags:           debugFlags,
-		NetMon:               b.sys.NetMon.Get(),
+		NetMon:               b.e.GetNetMon(),
 		Pinger:               b,
 		PopBrowserURL:        b.tellClientToBrowseToURL,
 		OnClientVersion:      b.onClientVersion,
@@ -1812,30 +1813,11 @@ func dnsMapsEqual(new, old *netmap.NetworkMap) bool {
 // readPoller is a goroutine that receives service lists from
 // b.portpoll and propagates them into the controlclient's HostInfo.
 func (b *LocalBackend) readPoller() {
-	isFirst := true
-	ticker, tickerChannel := b.clock.NewTicker(portlist.PollInterval())
-	defer ticker.Stop()
-	initChan := make(chan struct{})
-	close(initChan)
+	n := 0
 	for {
-		select {
-		case <-tickerChannel:
-		case <-b.ctx.Done():
+		ports, ok := <-b.portpoll.Updates()
+		if !ok {
 			return
-		case <-initChan:
-			// Preserving old behavior: readPoller should
-			// immediately poll the first time, then wait
-			// for a tick after.
-			initChan = nil
-		}
-
-		ports, changed, err := b.portpoll.Poll()
-		if err != nil {
-			b.logf("error polling for open ports: %v", err)
-			return
-		}
-		if !changed {
-			continue
 		}
 		sl := []tailcfg.Service{}
 		for _, p := range ports {
@@ -1859,8 +1841,8 @@ func (b *LocalBackend) readPoller() {

 		b.doSetHostinfoFilterServices(hi)

-		if isFirst {
-			isFirst = false
+		n++
+		if n == 1 {
 			close(b.gotPortPollRes)
 		}
 	}
@@ -1988,11 +1970,11 @@ func (b *LocalBackend) WatchNotifications(ctx context.Context, mask ipn.NotifyWa
 // pollRequestEngineStatus calls b.RequestEngineStatus every 2 seconds until ctx
 // is done.
 func (b *LocalBackend) pollRequestEngineStatus(ctx context.Context) {
-	ticker, tickerChannel := b.clock.NewTicker(2 * time.Second)
+	ticker := time.NewTicker(2 * time.Second)
 	defer ticker.Stop()
 	for {
 		select {
-		case <-tickerChannel:
+		case <-ticker.C:
 			b.RequestEngineStatus()
 		case <-ctx.Done():
 			return
@@ -2400,14 +2382,14 @@ func (b *LocalBackend) StartLoginInteractive() {
 	}
 }

-func (b *LocalBackend) Ping(ctx context.Context, ip netip.Addr, pingType tailcfg.PingType, size int) (*ipnstate.PingResult, error) {
+func (b *LocalBackend) Ping(ctx context.Context, ip netip.Addr, pingType tailcfg.PingType) (*ipnstate.PingResult, error) {
 	if pingType == tailcfg.PingPeerAPI {
-		t0 := b.clock.Now()
+		t0 := time.Now()
 		node, base, err := b.pingPeerAPI(ctx, ip)
 		if err != nil && ctx.Err() != nil {
 			return nil, ctx.Err()
 		}
-		d := b.clock.Since(t0)
+		d := time.Since(t0)
 		pr := &ipnstate.PingResult{
 			IP:             ip.String(),
 			NodeIP:         ip.String(),
@@ -2423,7 +2405,7 @@ func (b *LocalBackend) Ping(ctx context.Context, ip netip.Addr, pingType tailcfg
 		return pr, nil
 	}
 	ch := make(chan *ipnstate.PingResult, 1)
-	b.e.Ping(ip, pingType, size, func(pr *ipnstate.PingResult) {
+	b.e.Ping(ip, pingType, func(pr *ipnstate.PingResult) {
 		select {
 		case ch <- pr:
 		default:
@@ -2585,7 +2567,7 @@ func (b *LocalBackend) checkSSHPrefsLocked(p *ipn.Prefs) error {
 		if distro.Get() == distro.QNAP && !envknob.UseWIPCode() {
 			return errors.New("The Tailscale SSH server does not run on QNAP.")
 		}
-		b.updateSELinuxHealthWarning()
+		checkSELinux()
 		// otherwise okay
 	case "darwin":
 		// okay only in tailscaled mode for now.
@@ -2831,14 +2813,14 @@ func (b *LocalBackend) GetPeerAPIPort(ip netip.Addr) (port uint16, ok bool) {
 	return 0, false
 }

-// handlePeerAPIConn serves an already-accepted connection c.
+// ServePeerAPIConnection serves an already-accepted connection c.
 //
 // The remote parameter is the remote address.
 // The local parameter is the local address (either a Tailscale IPv4
 // or IPv6 IP and the peerapi port for that address).
 //
-// The connection will be closed by handlePeerAPIConn.
-func (b *LocalBackend) handlePeerAPIConn(remote, local netip.AddrPort, c net.Conn) {
+// The connection will be closed by ServePeerAPIConnection.
+func (b *LocalBackend) ServePeerAPIConnection(remote, local netip.AddrPort, c net.Conn) {
 	b.mu.Lock()
 	defer b.mu.Unlock()
 	for _, pln := range b.peerAPIListeners {
@@ -2852,48 +2834,6 @@ func (b *LocalBackend) handlePeerAPIConn(remote, local netip.AddrPort, c net.Con
 	return
 }

-func (b *LocalBackend) isLocalIP(ip netip.Addr) bool {
-	nm := b.NetMap()
-	return nm != nil && slices.Contains(nm.Addresses, netip.PrefixFrom(ip, ip.BitLen()))
-}
-
-var (
-	magicDNSIP   = tsaddr.TailscaleServiceIP()
-	magicDNSIPv6 = tsaddr.TailscaleServiceIPv6()
-)
-
-// TCPHandlerForDst returns a TCP handler for connections to dst, or nil if
-// no handler is needed. It also returns a list of TCP socket options to
-// apply to the socket before calling the handler.
-func (b *LocalBackend) TCPHandlerForDst(src, dst netip.AddrPort) (handler func(c net.Conn) error, opts []tcpip.SettableSocketOption) {
-	if dst.Port() == 80 && (dst.Addr() == magicDNSIP || dst.Addr() == magicDNSIPv6) {
-		return b.HandleQuad100Port80Conn, opts
-	}
-	if !b.isLocalIP(dst.Addr()) {
-		return nil, nil
-	}
-	if dst.Port() == 22 && b.ShouldRunSSH() {
-		// Use a higher keepalive idle time for SSH connections, as they are
-		// typically long lived and idle connections are more likely to be
-		// intentional. Ideally we would turn this off entirely, but we can't
-		// tell the difference between a long lived connection that is idle
-		// vs a connection that is dead because the peer has gone away.
-		// We pick 72h as that is typically sufficient for a long weekend.
-		opts = append(opts, ptr.To(tcpip.KeepaliveIdleOption(72*time.Hour)))
-		return b.handleSSHConn, opts
-	}
-	if port, ok := b.GetPeerAPIPort(dst.Addr()); ok && dst.Port() == port {
-		return func(c net.Conn) error {
-			b.handlePeerAPIConn(src, dst, c)
-			return nil
-		}, opts
-	}
-	if handler := b.tcpHandlerForServe(dst.Port(), src); handler != nil {
-		return handler, opts
-	}
-	return nil, nil
-}
-
 func (b *LocalBackend) peerAPIServicesLocked() (ret []tailcfg.Service) {
 	for _, pln := range b.peerAPIListeners {
 		proto := tailcfg.PeerAPI4
@@ -3377,12 +3317,14 @@ func (b *LocalBackend) initPeerAPIListener() {
 		directFileMode:          b.directFileRoot != "",
 		directFileDoFinalRename: b.directFileDoFinalRename,
 	}
-	if dm, ok := b.sys.DNSManager.GetOK(); ok {
-		ps.resolver = dm.Resolver()
+	if re, ok := b.e.(wgengine.ResolvingEngine); ok {
+		if r, ok := re.GetResolver(); ok {
+			ps.resolver = r
+		}
 	}
 	b.peerAPIServer = ps

-	isNetstack := b.sys.IsNetstack()
+	isNetstack := wgengine.IsNetstack(b.e)
 	for i, a := range b.netMap.Addresses {
 		var ln net.Listener
 		var err error
@@ -3688,19 +3630,6 @@ func (b *LocalBackend) hasNodeKey() bool {
 	return p.Valid() && p.Persist().Valid() && !p.Persist().PrivateNodeKey().IsZero()
 }

-// NodeKey returns the public node key.
-func (b *LocalBackend) NodeKey() key.NodePublic {
-	b.mu.Lock()
-	defer b.mu.Unlock()
-
-	p := b.pm.CurrentPrefs()
-	if !p.Valid() || !p.Persist().Valid() || p.Persist().PrivateNodeKey().IsZero() {
-		return key.NodePublic{}
-	}
-
-	return p.Persist().PublicNodeKey()
-}
-
 // nextState returns the state the backend seems to be in, based on
 // its internal state.
 func (b *LocalBackend) nextState() ipn.State {
@@ -3978,7 +3907,10 @@ func (b *LocalBackend) setNetMapLocked(nm *netmap.NetworkMap) {
 	b.dialer.SetNetMap(nm)
 	var login string
 	if nm != nil {
-		login = cmpx.Or(nm.UserProfiles[nm.User].LoginName, "<missing-profile>")
+		login = nm.UserProfiles[nm.User].LoginName
+		if login == "" {
+			login = "<missing-profile>"
+		}
 	}
 	b.netMap = nm
 	if login != b.activeLogin {
@@ -4108,7 +4040,7 @@ func (b *LocalBackend) setTCPPortsInterceptedFromNetmapAndPrefsLocked(prefs ipn.
 		b.setServeProxyHandlersLocked()

 		// don't listen on netmap addresses if we're in userspace mode
-		if !b.sys.IsNetstack() {
+		if !wgengine.IsNetstack(b.e) {
 			b.updateServeTCPPortNetMapAddrListenersLocked(servePorts)
 		}
 	}
@@ -4133,10 +4065,6 @@ func (b *LocalBackend) setServeProxyHandlersLocked() {
 	b.serveConfig.Web().Range(func(_ ipn.HostPort, conf ipn.WebServerConfigView) (cont bool) {
 		conf.Handlers().Range(func(_ string, h ipn.HTTPHandlerView) (cont bool) {
 			backend := h.Proxy()
-			if backend == "" {
-				// Only create proxy handlers for servers with a proxy backend.
-				return true
-			}
 			mak.Set(&backends, backend, true)
 			if _, ok := b.serveProxyHandlers.Load(backend); ok {
 				return true
@@ -4333,15 +4261,20 @@ func (b *LocalBackend) peerIsTaildropTargetLocked(p *tailcfg.Node) bool {
 		return true
 	}
 	if len(p.Addresses) > 0 &&
-		b.peerHasCapLocked(p.Addresses[0].Addr(), tailcfg.PeerCapabilityFileSharingTarget) {
+		b.peerHasCapLocked(p.Addresses[0].Addr(), tailcfg.CapabilityFileSharingTarget) {
 		// Explicitly noted in the netmap ACL caps as a target.
 		return true
 	}
 	return false
 }

-func (b *LocalBackend) peerHasCapLocked(addr netip.Addr, wantCap tailcfg.PeerCapability) bool {
-	return b.peerCapsLocked(addr).HasCapability(wantCap)
+func (b *LocalBackend) peerHasCapLocked(addr netip.Addr, wantCap string) bool {
+	for _, hasCap := range b.peerCapsLocked(addr) {
+		if hasCap == wantCap {
+			return true
+		}
+	}
+	return false
 }

 // SetDNS adds a DNS record for the given domain name & TXT record
@@ -4458,7 +4391,7 @@ func nodeIP(n *tailcfg.Node, pred func(netip.Addr) bool) netip.Addr {
 }

 func (b *LocalBackend) CheckIPForwarding() error {
-	if b.sys.IsNetstackRouter() {
+	if wgengine.IsNetstackRouter(b.e) {
 		return nil
 	}

@@ -4604,9 +4537,13 @@ func (b *LocalBackend) DebugReSTUN() error {
 }

 func (b *LocalBackend) magicConn() (*magicsock.Conn, error) {
-	mc, ok := b.sys.MagicSock.GetOK()
+	ig, ok := b.e.(wgengine.InternalsGetter)
 	if !ok {
-		return nil, errors.New("failed to get magicsock from sys")
+		return nil, errors.New("engine isn't InternalsGetter")
+	}
+	_, mc, _, ok := ig.GetInternals()
+	if !ok {
+		return nil, errors.New("failed to get internals")
 	}
 	return mc, nil
 }
@@ -4706,29 +4643,33 @@ func (b *LocalBackend) sshServerOrInit() (_ SSHServer, err error) {

 var warnSSHSELinux = health.NewWarnable()

-func (b *LocalBackend) updateSELinuxHealthWarning() {
-	if hostinfo.IsSELinuxEnforcing() {
+func checkSELinux() {
+	if runtime.GOOS != "linux" {
+		return
+	}
+	out, _ := exec.Command("getenforce").Output()
+	if string(bytes.TrimSpace(out)) == "Enforcing" {
 		warnSSHSELinux.Set(errors.New("SELinux is enabled; Tailscale SSH may not work. See https://tailscale.com/s/ssh-selinux"))
 	} else {
 		warnSSHSELinux.Set(nil)
 	}
 }

-func (b *LocalBackend) handleSSHConn(c net.Conn) (err error) {
+func (b *LocalBackend) HandleSSHConn(c net.Conn) (err error) {
 	s, err := b.sshServerOrInit()
 	if err != nil {
 		return err
 	}
-	b.updateSELinuxHealthWarning()
+	checkSELinux()
 	return s.HandleSSHConn(c)
 }

 // HandleQuad100Port80Conn serves http://100.100.100.100/ on port 80 (and
 // the equivalent tsaddr.TailscaleServiceIPv6 address).
-func (b *LocalBackend) HandleQuad100Port80Conn(c net.Conn) error {
+func (b *LocalBackend) HandleQuad100Port80Conn(c net.Conn) {
 	var s http.Server
 	s.Handler = http.HandlerFunc(b.handleQuad100Port80Conn)
-	return s.Serve(netutil.NewOneConnListener(c, nil))
+	s.Serve(netutil.NewOneConnListener(c, nil))
 }

 func validQuad100Host(h string) bool {
@@ -4778,7 +4719,7 @@ func (b *LocalBackend) Doctor(ctx context.Context, logf logger.Logf) {
 	// opting-out of rate limits. Limit ourselves to at most one message
 	// per 20ms and a burst of 60 log lines, which should be fast enough to
 	// not block for too long but slow enough that we can upload all lines.
-	logf = logger.SlowLoggerWithClock(ctx, logf, 20*time.Millisecond, 60, b.clock.Now)
+	logf = logger.SlowLoggerWithClock(ctx, logf, 20*time.Millisecond, 60, time.Now)

 	var checks []doctor.Check
 	checks = append(checks,
--- a/ipn/ipnlocal/local_test.go
+++ b/ipn/ipnlocal/local_test.go
@@ -20,7 +20,6 @@ import (
 	"tailscale.com/net/interfaces"
 	"tailscale.com/net/tsaddr"
 	"tailscale.com/tailcfg"
-	"tailscale.com/tsd"
 	"tailscale.com/tstest"
 	"tailscale.com/types/key"
 	"tailscale.com/types/logger"
@@ -502,16 +501,13 @@ func TestLazyMachineKeyGeneration(t *testing.T) {
 	tstest.Replace(t, &panicOnMachineKeyGeneration, func() bool { return true })

 	var logf logger.Logf = logger.Discard
-	sys := new(tsd.System)
 	store := new(mem.Store)
-	sys.Set(store)
-	eng, err := wgengine.NewFakeUserspaceEngine(logf, sys.Set)
+	eng, err := wgengine.NewFakeUserspaceEngine(logf, 0)
 	if err != nil {
 		t.Fatalf("NewFakeUserspaceEngine: %v", err)
 	}
 	t.Cleanup(eng.Close)
-	sys.Set(eng)
-	lb, err := NewLocalBackend(logf, logid.PublicID{}, sys, 0)
+	lb, err := NewLocalBackend(logf, logid.PublicID{}, store, nil, eng, 0)
 	if err != nil {
 		t.Fatalf("NewLocalBackend: %v", err)
 	}
@@ -769,16 +765,13 @@ func TestPacketFilterPermitsUnlockedNodes(t *testing.T) {
 func TestStatusWithoutPeers(t *testing.T) {
 	logf := tstest.WhileTestRunningLogger(t)
 	store := new(testStateStorage)
-	sys := new(tsd.System)
-	sys.Set(store)
-	e, err := wgengine.NewFakeUserspaceEngine(logf, sys.Set)
+	e, err := wgengine.NewFakeUserspaceEngine(logf, 0)
 	if err != nil {
 		t.Fatalf("NewFakeUserspaceEngine: %v", err)
 	}
-	sys.Set(e)
 	t.Cleanup(e.Close)

-	b, err := NewLocalBackend(logf, logid.PublicID{}, sys, 0)
+	b, err := NewLocalBackend(logf, logid.PublicID{}, store, nil, e, 0)
 	if err != nil {
 		t.Fatalf("NewLocalBackend: %v", err)
 	}
--- a/ipn/ipnlocal/loglines_test.go
+++ b/ipn/ipnlocal/loglines_test.go
@@ -12,7 +12,6 @@ import (
 	"tailscale.com/ipn/ipnstate"
 	"tailscale.com/ipn/store/mem"
 	"tailscale.com/tailcfg"
-	"tailscale.com/tsd"
 	"tailscale.com/tstest"
 	"tailscale.com/types/key"
 	"tailscale.com/types/logger"
@@ -48,17 +47,14 @@ func TestLocalLogLines(t *testing.T) {
 	idA := logid(0xaa)

 	// set up a LocalBackend, super bare bones. No functional data.
-	sys := new(tsd.System)
 	store := new(mem.Store)
-	sys.Set(store)
-	e, err := wgengine.NewFakeUserspaceEngine(logf, sys.Set)
+	e, err := wgengine.NewFakeUserspaceEngine(logf, 0)
 	if err != nil {
 		t.Fatal(err)
 	}
 	t.Cleanup(e.Close)
-	sys.Set(e)

-	lb, err := NewLocalBackend(logf, idA, sys, 0)
+	lb, err := NewLocalBackend(logf, idA, store, nil, e, 0)
 	if err != nil {
 		t.Fatal(err)
 	}
--- a/ipn/ipnlocal/network-lock.go
+++ b/ipn/ipnlocal/network-lock.go
@@ -20,8 +20,8 @@ import (
 	"path/filepath"
 	"time"

+	"tailscale.com/envknob"
 	"tailscale.com/health"
-	"tailscale.com/health/healthmsg"
 	"tailscale.com/ipn"
 	"tailscale.com/ipn/ipnstate"
 	"tailscale.com/net/tsaddr"
@@ -53,12 +53,20 @@ type tkaState struct {
 	filtered  []ipnstate.TKAFilteredPeer
 }

+// permitTKAInitLocked returns true if tailnet lock initialization may
+// occur.
+// b.mu must be held.
+func (b *LocalBackend) permitTKAInitLocked() bool {
+	return envknob.UseWIPCode() || b.capTailnetLock
+}
+
 // tkaFilterNetmapLocked checks the signatures on each node key, dropping
 // nodes from the netmap whose signature does not verify.
 //
 // b.mu must be held.
 func (b *LocalBackend) tkaFilterNetmapLocked(nm *netmap.NetworkMap) {
-	if b.tka == nil && !b.capTailnetLock {
+	// TODO(tom): Remove this guard for 1.35 and later.
+	if b.tka == nil && !b.permitTKAInitLocked() {
 		health.SetTKAHealth(nil)
 		return
 	}
@@ -116,7 +124,7 @@ func (b *LocalBackend) tkaFilterNetmapLocked(nm *netmap.NetworkMap) {

 	// Check that we ourselves are not locked out, report a health issue if so.
 	if nm.SelfNode != nil && b.tka.authority.NodeKeyAuthorized(nm.SelfNode.Key, nm.SelfNode.KeySignature) != nil {
-		health.SetTKAHealth(errors.New(healthmsg.LockedOut))
+		health.SetTKAHealth(errors.New("this node is locked out; it will not have connectivity until it is signed. For more info, see https://tailscale.com/s/locked-out"))
 	} else {
 		health.SetTKAHealth(nil)
 	}
@@ -145,13 +153,12 @@ func (b *LocalBackend) tkaSyncIfNeeded(nm *netmap.NetworkMap, prefs ipn.PrefsVie
 	b.mu.Lock() // take mu to protect access to synchronized fields.
 	defer b.mu.Unlock()

-	if b.tka == nil && !b.capTailnetLock {
+	// TODO(tom): Remove this guard for 1.35 and later.
+	if b.tka == nil && !b.permitTKAInitLocked() {
 		return nil
 	}

-	if b.tka != nil || nm.TKAEnabled {
-		b.logf("tkaSyncIfNeeded: enabled=%v, head=%v", nm.TKAEnabled, nm.TKAHead)
-	}
+	b.logf("tkaSyncIfNeeded: enabled=%v, head=%v", nm.TKAEnabled, nm.TKAHead)

 	ourNodeKey := prefs.Persist().PublicNodeKey()

@@ -190,7 +197,7 @@ func (b *LocalBackend) tkaSyncIfNeeded(nm *netmap.NetworkMap, prefs ipn.PrefsVie
 				health.SetTKAHealth(nil)
 			}
 		} else {
-			return fmt.Errorf("[bug] unreachable invariant of wantEnabled w/ isEnabled")
+			return fmt.Errorf("[bug] unreachable invariant of wantEnabled /w isEnabled")
 		}
 	}

@@ -442,8 +449,6 @@ func (b *LocalBackend) NetworkLockStatus() *ipnstate.NetworkLockStatus {
 		filtered[i] = b.tka.filtered[i].Clone()
 	}

-	stateID1, _ := b.tka.authority.StateIDs()
-
 	return &ipnstate.NetworkLockStatus{
 		Enabled:       true,
 		Head:          &head,
@@ -452,7 +457,6 @@ func (b *LocalBackend) NetworkLockStatus() *ipnstate.NetworkLockStatus {
 		NodeKeySigned: selfAuthorized,
 		TrustedKeys:   outKeys,
 		FilteredPeers: filtered,
-		StateID:       stateID1,
 	}
 }

@@ -474,9 +478,10 @@ func (b *LocalBackend) NetworkLockInit(keys []tka.Key, disablementValues [][]byt
 	var nlPriv key.NLPrivate
 	b.mu.Lock()

-	if !b.capTailnetLock {
+	// TODO(tom): Remove this guard for 1.35 and later.
+	if !b.permitTKAInitLocked() {
 		b.mu.Unlock()
-		return errors.New("not permitted to enable tailnet lock")
+		return errors.New("this feature is not yet complete, a later release may support this functionality")
 	}

 	if p := b.pm.CurrentPrefs(); p.Valid() && p.Persist().Valid() && !p.Persist().PrivateNodeKey().IsZero() {
@@ -879,18 +884,6 @@ func (b *LocalBackend) NetworkLockWrapPreauthKey(preauthKey string, tkaKey key.N
 	return fmt.Sprintf("%s--TL%s-%s", preauthKey, tkaSuffixEncoder.EncodeToString(sig.Serialize()), tkaSuffixEncoder.EncodeToString(priv)), nil
 }

-// NetworkLockVerifySigningDeeplink asks the authority to verify the given deeplink
-// URL. See the comment for ValidateDeeplink for details.
-func (b *LocalBackend) NetworkLockVerifySigningDeeplink(url string) tka.DeeplinkValidationResult {
-	b.mu.Lock()
-	defer b.mu.Unlock()
-	if b.tka == nil {
-		return tka.DeeplinkValidationResult{IsValid: false, Error: errNetworkLockNotActive.Error()}
-	}
-
-	return b.tka.authority.ValidateDeeplink(url)
-}
-
 func signNodeKey(nodeInfo tailcfg.TKASignInfo, signer key.NLPrivate) (*tka.NodeKeySignature, error) {
 	p, err := nodeInfo.NodePublic.MarshalBinary()
 	if err != nil {
--- a/ipn/ipnlocal/network-lock_test.go
+++ b/ipn/ipnlocal/network-lock_test.go
@@ -17,6 +17,7 @@ import (

 	"github.com/google/go-cmp/cmp"
 	"tailscale.com/control/controlclient"
+	"tailscale.com/envknob"
 	"tailscale.com/hostinfo"
 	"tailscale.com/ipn"
 	"tailscale.com/ipn/store/mem"
@@ -65,6 +66,8 @@ func fakeNoiseServer(t *testing.T, handler http.HandlerFunc) (*httptest.Server,
 }

 func TestTKAEnablementFlow(t *testing.T) {
+	envknob.Setenv("TAILSCALE_USE_WIP_CODE", "1")
+	defer envknob.Setenv("TAILSCALE_USE_WIP_CODE", "")
 	nodePriv := key.NewNode()

 	// Make a fake TKA authority, getting a usable genesis AUM which
@@ -147,13 +150,12 @@ func TestTKAEnablementFlow(t *testing.T) {
 		},
 	}).View()))
 	b := LocalBackend{
-		capTailnetLock: true,
-		varRoot:        temp,
-		cc:             cc,
-		ccAuto:         cc,
-		logf:           t.Logf,
-		pm:             pm,
-		store:          pm.Store(),
+		varRoot: temp,
+		cc:      cc,
+		ccAuto:  cc,
+		logf:    t.Logf,
+		pm:      pm,
+		store:   pm.Store(),
 	}

 	err = b.tkaSyncIfNeeded(&netmap.NetworkMap{
@@ -172,6 +174,8 @@ func TestTKAEnablementFlow(t *testing.T) {
 }

 func TestTKADisablementFlow(t *testing.T) {
+	envknob.Setenv("TAILSCALE_USE_WIP_CODE", "1")
+	defer envknob.Setenv("TAILSCALE_USE_WIP_CODE", "")
 	nodePriv := key.NewNode()

 	// Make a fake TKA authority, to seed local state.
@@ -293,6 +297,9 @@ func TestTKADisablementFlow(t *testing.T) {
 }

 func TestTKASync(t *testing.T) {
+	envknob.Setenv("TAILSCALE_USE_WIP_CODE", "1")
+	defer envknob.Setenv("TAILSCALE_USE_WIP_CODE", "")
+
 	someKeyPriv := key.NewNLPrivate()
 	someKey := tka.Key{Kind: tka.Key25519, Public: someKeyPriv.Public().Verifier(), Votes: 1}

@@ -531,6 +538,9 @@ func TestTKASync(t *testing.T) {
 }

 func TestTKAFilterNetmap(t *testing.T) {
+	envknob.Setenv("TAILSCALE_USE_WIP_CODE", "1")
+	defer envknob.Setenv("TAILSCALE_USE_WIP_CODE", "")
+
 	nlPriv := key.NewNLPrivate()
 	nlKey := tka.Key{Kind: tka.Key25519, Public: nlPriv.Public().Verifier(), Votes: 2}
 	storage := &tka.Mem{}
@@ -587,6 +597,8 @@ func TestTKAFilterNetmap(t *testing.T) {
 }

 func TestTKADisable(t *testing.T) {
+	envknob.Setenv("TAILSCALE_USE_WIP_CODE", "1")
+	defer envknob.Setenv("TAILSCALE_USE_WIP_CODE", "")
 	nodePriv := key.NewNode()

 	// Make a fake TKA authority, to seed local state.
@@ -680,6 +692,8 @@ func TestTKADisable(t *testing.T) {
 }

 func TestTKASign(t *testing.T) {
+	envknob.Setenv("TAILSCALE_USE_WIP_CODE", "1")
+	defer envknob.Setenv("TAILSCALE_USE_WIP_CODE", "")
 	nodePriv := key.NewNode()
 	toSign := key.NewNode()
 	nlPriv := key.NewNLPrivate()
@@ -766,6 +780,8 @@ func TestTKASign(t *testing.T) {
 }

 func TestTKAForceDisable(t *testing.T) {
+	envknob.Setenv("TAILSCALE_USE_WIP_CODE", "1")
+	defer envknob.Setenv("TAILSCALE_USE_WIP_CODE", "")
 	nodePriv := key.NewNode()

 	// Make a fake TKA authority, to seed local state.
--- a/ipn/ipnlocal/peerapi.go
+++ b/ipn/ipnlocal/peerapi.go
@@ -50,6 +50,7 @@ import (
 	"tailscale.com/util/clientmetric"
 	"tailscale.com/util/multierr"
 	"tailscale.com/version/distro"
+	"tailscale.com/wgengine"
 	"tailscale.com/wgengine/filter"
 )

@@ -304,7 +305,7 @@ func (s *peerAPIServer) DeleteFile(baseName string) error {
 	}
 	var bo *backoff.Backoff
 	logf := s.b.logf
-	t0 := s.b.clock.Now()
+	t0 := time.Now()
 	for {
 		err := os.Remove(path)
 		if err != nil && !os.IsNotExist(err) {
@@ -323,7 +324,7 @@ func (s *peerAPIServer) DeleteFile(baseName string) error {
 				if bo == nil {
 					bo = backoff.NewBackoff("delete-retry", logf, 1*time.Second)
 				}
-				if s.b.clock.Since(t0) < 5*time.Second {
+				if time.Since(t0) < 5*time.Second {
 					bo.BackOff(context.Background(), err)
 					continue
 				}
@@ -468,7 +469,7 @@ func (s *peerAPIServer) listen(ip netip.Addr, ifState *interfaces.State) (ln net
 		}
 	}

-	if s.b.sys.IsNetstack() {
+	if wgengine.IsNetstack(s.b.e) {
 		ipStr = ""
 	}

@@ -780,7 +781,7 @@ func (h *peerAPIHandler) handleServeIngress(w http.ResponseWriter, r *http.Reque
 		return
 	}

-	getConnOrReset := func() (net.Conn, bool) {
+	getConn := func() (net.Conn, bool) {
 		conn, _, err := w.(http.Hijacker).Hijack()
 		if err != nil {
 			h.logf("ingress: failed hijacking conn")
@@ -798,7 +799,7 @@ func (h *peerAPIHandler) handleServeIngress(w http.ResponseWriter, r *http.Reque
 		http.Error(w, "denied", http.StatusForbidden)
 	}

-	h.ps.b.HandleIngressTCPConn(h.peerNode, target, srcAddr, getConnOrReset, sendRST)
+	h.ps.b.HandleIngressTCPConn(h.peerNode, target, srcAddr, getConn, sendRST)
 }

 func (h *peerAPIHandler) handleServeInterfaces(w http.ResponseWriter, r *http.Request) {
@@ -1000,7 +1001,7 @@ func (f *incomingFile) Write(p []byte) (n int, err error) {
 		f.mu.Lock()
 		defer f.mu.Unlock()
 		f.copied += int64(n)
-		now := b.clock.Now()
+		now := time.Now()
 		if f.lastNotify.IsZero() || now.Sub(f.lastNotify) > time.Second {
 			f.lastNotify = now
 			needNotify = true
@@ -1028,7 +1029,7 @@ func (h *peerAPIHandler) canPutFile() bool {
 		// Unsigned peers can't send files.
 		return false
 	}
-	return h.isSelf || h.peerHasCap(tailcfg.PeerCapabilityFileSharingSend)
+	return h.isSelf || h.peerHasCap(tailcfg.CapabilityFileSharingSend)
 }

 // canDebug reports whether h can debug this node (goroutines, metrics,
@@ -1042,7 +1043,7 @@ func (h *peerAPIHandler) canDebug() bool {
 		// Unsigned peers can't debug.
 		return false
 	}
-	return h.isSelf || h.peerHasCap(tailcfg.PeerCapabilityDebugPeer)
+	return h.isSelf || h.peerHasCap(tailcfg.CapabilityDebugPeer)
 }

 // canWakeOnLAN reports whether h can send a Wake-on-LAN packet from this node.
@@ -1050,18 +1051,23 @@ func (h *peerAPIHandler) canWakeOnLAN() bool {
 	if h.peerNode.UnsignedPeerAPIOnly {
 		return false
 	}
-	return h.isSelf || h.peerHasCap(tailcfg.PeerCapabilityWakeOnLAN)
+	return h.isSelf || h.peerHasCap(tailcfg.CapabilityWakeOnLAN)
 }

 var allowSelfIngress = envknob.RegisterBool("TS_ALLOW_SELF_INGRESS")

 // canIngress reports whether h can send ingress requests to this node.
 func (h *peerAPIHandler) canIngress() bool {
-	return h.peerHasCap(tailcfg.PeerCapabilityIngress) || (allowSelfIngress() && h.isSelf)
+	return h.peerHasCap(tailcfg.CapabilityIngress) || (allowSelfIngress() && h.isSelf)
 }

-func (h *peerAPIHandler) peerHasCap(wantCap tailcfg.PeerCapability) bool {
-	return h.ps.b.PeerCaps(h.remoteAddr.Addr()).HasCapability(wantCap)
+func (h *peerAPIHandler) peerHasCap(wantCap string) bool {
+	for _, hasCap := range h.ps.b.PeerCaps(h.remoteAddr.Addr()) {
+		if hasCap == wantCap {
+			return true
+		}
+	}
+	return false
 }

 func (h *peerAPIHandler) handlePeerPut(w http.ResponseWriter, r *http.Request) {
@@ -1113,7 +1119,7 @@ func (h *peerAPIHandler) handlePeerPut(w http.ResponseWriter, r *http.Request) {
 		http.Error(w, "bad filename", 400)
 		return
 	}
-	t0 := h.ps.b.clock.Now()
+	t0 := time.Now()
 	// TODO(bradfitz): prevent same filename being sent by two peers at once
 	partialFile := dstFile + partialSuffix
 	f, err := os.Create(partialFile)
@@ -1133,7 +1139,7 @@ func (h *peerAPIHandler) handlePeerPut(w http.ResponseWriter, r *http.Request) {
 	if r.ContentLength != 0 {
 		inFile = &incomingFile{
 			name:    baseName,
-			started: h.ps.b.clock.Now(),
+			started: time.Now(),
 			size:    r.ContentLength,
 			w:       f,
 			ph:      h,
@@ -1171,7 +1177,7 @@ func (h *peerAPIHandler) handlePeerPut(w http.ResponseWriter, r *http.Request) {
 		}
 	}

-	d := h.ps.b.clock.Since(t0).Round(time.Second / 10)
+	d := time.Since(t0).Round(time.Second / 10)
 	h.logf("got put of %s in %v from %v/%v", approxSize(finalSize), d, h.remoteAddr.Addr(), h.peerNode.ComputedName)

 	// TODO: set modtime
@@ -1233,9 +1239,12 @@ func (h *peerAPIHandler) handleServeMagicsock(w http.ResponseWriter, r *http.Req
 		http.Error(w, "denied; no debug access", http.StatusForbidden)
 		return
 	}
-	if mc, ok := h.ps.b.sys.MagicSock.GetOK(); ok {
-		mc.ServeHTTPDebug(w, r)
-		return
+	eng := h.ps.b.e
+	if ig, ok := eng.(wgengine.InternalsGetter); ok {
+		if _, mc, _, ok := ig.GetInternals(); ok {
+			mc.ServeHTTPDebug(w, r)
+			return
+		}
 	}
 	http.Error(w, "miswired", 500)
 }
--- a/ipn/ipnlocal/peerapi_test.go
+++ b/ipn/ipnlocal/peerapi_test.go
@@ -457,7 +457,6 @@ func TestHandlePeerAPI(t *testing.T) {
 				logf:           e.logBuf.Logf,
 				capFileSharing: tt.capSharing,
 				netMap:         &netmap.NetworkMap{SelfNode: selfNode},
-				clock:          &tstest.Clock{},
 			}
 			e.ph = &peerAPIHandler{
 				isSelf:   tt.isSelf,
@@ -507,7 +506,6 @@ func TestFileDeleteRace(t *testing.T) {
 		b: &LocalBackend{
 			logf:           t.Logf,
 			capFileSharing: true,
-			clock:          &tstest.Clock{},
 		},
 		rootDir: dir,
 	}
--- a/ipn/ipnlocal/profiles.go
+++ b/ipn/ipnlocal/profiles.go
@@ -24,8 +24,6 @@ import (

 var errAlreadyMigrated = errors.New("profile migration already completed")

-var debug = envknob.RegisterBool("TS_DEBUG_PROFILES")
-
 // profileManager is a wrapper around a StateStore that manages
 // multiple profiles and the current profile.
 type profileManager struct {
@@ -44,13 +42,6 @@ type profileManager struct {
 	isNewProfile bool
 }

-func (pm *profileManager) dlogf(format string, args ...any) {
-	if !debug() {
-		return
-	}
-	pm.logf(format, args...)
-}
-
 // CurrentUserID returns the current user ID. It is only non-empty on
 // Windows where we have a multi-user system.
 func (pm *profileManager) CurrentUserID() ipn.WindowsUserID {
@@ -75,10 +66,8 @@ func (pm *profileManager) SetCurrentUserID(uid ipn.WindowsUserID) error {
 	// Read the CurrentProfileKey from the store which stores
 	// the selected profile for the current user.
 	b, err := pm.store.ReadState(ipn.CurrentProfileKey(string(uid)))
-	pm.dlogf("SetCurrentUserID: ReadState(%q) = %v, %v", string(uid), len(b), err)
 	if err == ipn.ErrStateNotExist || len(b) == 0 {
 		if runtime.GOOS == "windows" {
-			pm.dlogf("SetCurrentUserID: windows: migrating from legacy preferences")
 			if err := pm.migrateFromLegacyPrefs(); err != nil && !errors.Is(err, errAlreadyMigrated) {
 				return err
 			}
@@ -92,7 +81,6 @@ func (pm *profileManager) SetCurrentUserID(uid ipn.WindowsUserID) error {
 	pk := ipn.StateKey(string(b))
 	prof := pm.findProfileByKey(pk)
 	if prof == nil {
-		pm.dlogf("SetCurrentUserID: no profile found for key: %q", pk)
 		pm.NewProfile()
 		return nil
 	}
@@ -567,7 +555,6 @@ func newProfileManagerWithGOOS(store ipn.StateStore, logf logger.Logf, goos stri
 		// and runtime must be valid Windows security identifier structures.
 	} else if len(knownProfiles) == 0 && goos != "windows" && runtime.GOOS != "windows" {
 		// No known profiles, try a migration.
-		pm.dlogf("no known profiles; trying to migrate from legacy prefs")
 		if err := pm.migrateFromLegacyPrefs(); err != nil {
 			return nil, err
 		}
@@ -586,13 +573,11 @@ func (pm *profileManager) migrateFromLegacyPrefs() error {
 		metricMigrationError.Add(1)
 		return fmt.Errorf("load legacy prefs: %w", err)
 	}
-	pm.dlogf("loaded legacy preferences; sentinel=%q", sentinel)
 	if err := pm.SetPrefs(prefs); err != nil {
 		metricMigrationError.Add(1)
 		return fmt.Errorf("migrating _daemon profile: %w", err)
 	}
 	pm.completeMigration(sentinel)
-	pm.dlogf("completed legacy preferences migration with sentinel=%q", sentinel)
 	metricMigrationSuccess.Add(1)
 	return nil
 }
--- a/ipn/ipnlocal/profiles_windows.go
+++ b/ipn/ipnlocal/profiles_windows.go
@@ -40,7 +40,6 @@ func legacyPrefsDir(uid ipn.WindowsUserID) (string, error) {
 func (pm *profileManager) loadLegacyPrefs() (string, ipn.PrefsView, error) {
 	userLegacyPrefsDir, err := legacyPrefsDir(pm.currentUserID)
 	if err != nil {
-		pm.dlogf("no legacy preferences directory for %q: %v", pm.currentUserID, err)
 		return "", ipn.PrefsView{}, err
 	}

@@ -48,17 +47,14 @@ func (pm *profileManager) loadLegacyPrefs() (string, ipn.PrefsView, error) {
 	// verify that migration sentinel is not present
 	_, err = os.Stat(migrationSentinel)
 	if err == nil {
-		pm.dlogf("migration sentinel %q already exists", migrationSentinel)
 		return "", ipn.PrefsView{}, errAlreadyMigrated
 	}
 	if !os.IsNotExist(err) {
-		pm.dlogf("os.Stat(%q) = %v", migrationSentinel, err)
 		return "", ipn.PrefsView{}, err
 	}

 	prefsPath := filepath.Join(userLegacyPrefsDir, legacyPrefsFile+legacyPrefsExt)
 	prefs, err := ipn.LoadPrefs(prefsPath)
-	pm.dlogf("ipn.LoadPrefs(%q) = %v, %v", prefsPath, prefs, err)
 	if errors.Is(err, fs.ErrNotExist) {
 		return "", ipn.PrefsView{}, errAlreadyMigrated
 	}
--- a/ipn/ipnlocal/serve.go
+++ b/ipn/ipnlocal/serve.go
@@ -143,7 +143,7 @@ func (s *serveListener) Run() {
 }

 func (s *serveListener) shouldWarnAboutListenError(err error) bool {
-	if !s.b.sys.NetMon.Get().InterfaceState().HasIP(s.ap.Addr()) {
+	if !s.b.e.GetNetMon().InterfaceState().HasIP(s.ap.Addr()) {
 		// Machine likely doesn't have IPv6 enabled (or the IP is still being
 		// assigned). No need to warn. Notably, WSL2 (Issue 6303).
 		return false
@@ -162,13 +162,12 @@ func (s *serveListener) handleServeListenersAccept(ln net.Listener) error {
 			return err
 		}
 		srcAddr := conn.RemoteAddr().(*net.TCPAddr).AddrPort()
-		handler := s.b.tcpHandlerForServe(s.ap.Port(), srcAddr)
-		if handler == nil {
+		getConn := func() (net.Conn, bool) { return conn, true }
+		sendRST := func() {
 			s.b.logf("serve RST for %v", srcAddr)
 			conn.Close()
-			continue
 		}
-		go handler(conn)
+		go s.b.HandleInterceptedTCPConn(s.ap.Port(), srcAddr, getConn, sendRST)
 	}
 }

@@ -257,7 +256,7 @@ func (b *LocalBackend) ServeConfig() ipn.ServeConfigView {
 	return b.serveConfig
 }

-func (b *LocalBackend) HandleIngressTCPConn(ingressPeer *tailcfg.Node, target ipn.HostPort, srcAddr netip.AddrPort, getConnOrReset func() (net.Conn, bool), sendRST func()) {
+func (b *LocalBackend) HandleIngressTCPConn(ingressPeer *tailcfg.Node, target ipn.HostPort, srcAddr netip.AddrPort, getConn func() (net.Conn, bool), sendRST func()) {
 	b.mu.Lock()
 	sc := b.serveConfig
 	b.mu.Unlock()
@@ -290,7 +289,7 @@ func (b *LocalBackend) HandleIngressTCPConn(ingressPeer *tailcfg.Node, target ip
 	if b.getTCPHandlerForFunnelFlow != nil {
 		handler := b.getTCPHandlerForFunnelFlow(srcAddr, dport)
 		if handler != nil {
-			c, ok := getConnOrReset()
+			c, ok := getConn()
 			if !ok {
 				b.logf("localbackend: getConn didn't complete from %v to port %v", srcAddr, dport)
 				return
@@ -299,41 +298,39 @@ func (b *LocalBackend) HandleIngressTCPConn(ingressPeer *tailcfg.Node, target ip
 			return
 		}
 	}
-	// TODO(bradfitz): pass ingressPeer etc in context to tcpHandlerForServe,
+	// TODO(bradfitz): pass ingressPeer etc in context to HandleInterceptedTCPConn,
 	// extend serveHTTPContext or similar.
-	handler := b.tcpHandlerForServe(dport, srcAddr)
-	if handler == nil {
-		sendRST()
-		return
-	}
-	c, ok := getConnOrReset()
-	if !ok {
-		b.logf("localbackend: getConn didn't complete from %v to port %v", srcAddr, dport)
-		return
-	}
-	handler(c)
+	b.HandleInterceptedTCPConn(dport, srcAddr, getConn, sendRST)
 }

-// tcpHandlerForServe returns a handler for a TCP connection to be served via
-// the ipn.ServeConfig.
-func (b *LocalBackend) tcpHandlerForServe(dport uint16, srcAddr netip.AddrPort) (handler func(net.Conn) error) {
+func (b *LocalBackend) HandleInterceptedTCPConn(dport uint16, srcAddr netip.AddrPort, getConn func() (net.Conn, bool), sendRST func()) {
 	b.mu.Lock()
 	sc := b.serveConfig
 	b.mu.Unlock()

 	if !sc.Valid() {
 		b.logf("[unexpected] localbackend: got TCP conn w/o serveConfig; from %v to port %v", srcAddr, dport)
-		return nil
+		sendRST()
+		return
 	}

 	tcph, ok := sc.TCP().GetOk(dport)
 	if !ok {
 		b.logf("[unexpected] localbackend: got TCP conn without TCP config for port %v; from %v", dport, srcAddr)
-		return nil
+		sendRST()
+		return
 	}

-	if tcph.HTTPS() || tcph.HTTP() {
+	if tcph.HTTPS() {
+		conn, ok := getConn()
+		if !ok {
+			b.logf("localbackend: getConn didn't complete from %v to port %v", srcAddr, dport)
+			return
+		}
 		hs := &http.Server{
+			TLSConfig: &tls.Config{
+				GetCertificate: b.getTLSServeCertForPort(dport),
+			},
 			Handler: http.HandlerFunc(b.serveWebHandler),
 			BaseContext: func(_ net.Listener) context.Context {
 				return context.WithValue(context.Background(), serveHTTPContextKey{}, &serveHTTPContext{
@@ -342,95 +339,79 @@ func (b *LocalBackend) tcpHandlerForServe(dport uint16, srcAddr netip.AddrPort)
 				})
 			},
 		}
-		if tcph.HTTPS() {
-			hs.TLSConfig = &tls.Config{
-				GetCertificate: b.getTLSServeCertForPort(dport),
-			}
-			return func(c net.Conn) error {
-				return hs.ServeTLS(netutil.NewOneConnListener(c, nil), "", "")
-			}
-		}
-
-		return func(c net.Conn) error {
-			return hs.Serve(netutil.NewOneConnListener(c, nil))
-		}
+		hs.ServeTLS(netutil.NewOneConnListener(conn, nil), "", "")
+		return
 	}

 	if backDst := tcph.TCPForward(); backDst != "" {
-		return func(conn net.Conn) error {
-			defer conn.Close()
-			ctx, cancel := context.WithTimeout(context.Background(), 10*time.Second)
-			backConn, err := b.dialer.SystemDial(ctx, "tcp", backDst)
-			cancel()
-			if err != nil {
-				b.logf("localbackend: failed to TCP proxy port %v (from %v) to %s: %v", dport, srcAddr, backDst, err)
-				return nil
-			}
-			defer backConn.Close()
-			if sni := tcph.TerminateTLS(); sni != "" {
-				conn = tls.Server(conn, &tls.Config{
-					GetCertificate: func(hi *tls.ClientHelloInfo) (*tls.Certificate, error) {
-						ctx, cancel := context.WithTimeout(context.Background(), time.Minute)
-						defer cancel()
-						pair, err := b.GetCertPEM(ctx, sni, false)
-						if err != nil {
-							return nil, err
-						}
-						cert, err := tls.X509KeyPair(pair.CertPEM, pair.KeyPEM)
-						if err != nil {
-							return nil, err
-						}
-						return &cert, nil
-					},
-				})
-			}
-
-			// TODO(bradfitz): do the RegisterIPPortIdentity and
-			// UnregisterIPPortIdentity stuff that netstack does
-			errc := make(chan error, 1)
-			go func() {
-				_, err := io.Copy(backConn, conn)
-				errc <- err
-			}()
-			go func() {
-				_, err := io.Copy(conn, backConn)
-				errc <- err
-			}()
-			return <-errc
+		ctx, cancel := context.WithTimeout(context.Background(), 10*time.Second)
+		backConn, err := b.dialer.SystemDial(ctx, "tcp", backDst)
+		cancel()
+		if err != nil {
+			b.logf("localbackend: failed to TCP proxy port %v (from %v) to %s: %v", dport, srcAddr, backDst, err)
+			sendRST()
+			return
 		}
+		conn, ok := getConn()
+		if !ok {
+			b.logf("localbackend: getConn didn't complete from %v to port %v", srcAddr, dport)
+			backConn.Close()
+			return
+		}
+		defer conn.Close()
+		defer backConn.Close()
+
+		if sni := tcph.TerminateTLS(); sni != "" {
+			conn = tls.Server(conn, &tls.Config{
+				GetCertificate: func(hi *tls.ClientHelloInfo) (*tls.Certificate, error) {
+					ctx, cancel := context.WithTimeout(context.Background(), time.Minute)
+					defer cancel()
+					pair, err := b.GetCertPEM(ctx, sni)
+					if err != nil {
+						return nil, err
+					}
+					cert, err := tls.X509KeyPair(pair.CertPEM, pair.KeyPEM)
+					if err != nil {
+						return nil, err
+					}
+					return &cert, nil
+				},
+			})
+		}
+
+		// TODO(bradfitz): do the RegisterIPPortIdentity and
+		// UnregisterIPPortIdentity stuff that netstack does
+
+		errc := make(chan error, 1)
+		go func() {
+			_, err := io.Copy(backConn, conn)
+			errc <- err
+		}()
+		go func() {
+			_, err := io.Copy(conn, backConn)
+			errc <- err
+		}()
+		<-errc
+		return
 	}

 	b.logf("closing TCP conn to port %v (from %v) with actionless TCPPortHandler", dport, srcAddr)
-	return nil
-}
-
-func getServeHTTPContext(r *http.Request) (c *serveHTTPContext, ok bool) {
-	c, ok = r.Context().Value(serveHTTPContextKey{}).(*serveHTTPContext)
-	return c, ok
+	sendRST()
 }

 func (b *LocalBackend) getServeHandler(r *http.Request) (_ ipn.HTTPHandlerView, at string, ok bool) {
 	var z ipn.HTTPHandlerView // zero value

-	hostname := r.Host
 	if r.TLS == nil {
-		tcd := "." + b.Status().CurrentTailnet.MagicDNSSuffix
-		if host, _, err := net.SplitHostPort(hostname); err == nil {
-			hostname = host
-		}
-		if !strings.HasSuffix(hostname, tcd) {
-			hostname += tcd
-		}
-	} else {
-		hostname = r.TLS.ServerName
+		return z, "", false
 	}

-	sctx, ok := getServeHTTPContext(r)
+	sctx, ok := r.Context().Value(serveHTTPContextKey{}).(*serveHTTPContext)
 	if !ok {
 		b.logf("[unexpected] localbackend: no serveHTTPContext in request")
 		return z, "", false
 	}
-	wsc, ok := b.webServerConfig(hostname, sctx.DestPort)
+	wsc, ok := b.webServerConfig(r.TLS.ServerName, sctx.DestPort)
 	if !ok {
 		return z, "", false
 	}
@@ -466,8 +447,9 @@ func (b *LocalBackend) proxyHandlerForBackend(backend string) (*httputil.Reverse
 		Rewrite: func(r *httputil.ProxyRequest) {
 			r.SetURL(u)
 			r.Out.Host = r.In.Host
-			addProxyForwardedHeaders(r)
-			b.addTailscaleIdentityHeaders(r)
+			if c, ok := r.Out.Context().Value(serveHTTPContextKey{}).(*serveHTTPContext); ok {
+				r.Out.Header.Set("X-Forwarded-For", c.SrcAddr.Addr().String())
+			}
 		},
 		Transport: &http.Transport{
 			DialContext: b.dialer.SystemDial,
@@ -485,40 +467,6 @@ func (b *LocalBackend) proxyHandlerForBackend(backend string) (*httputil.Reverse
 	return rp, nil
 }

-func addProxyForwardedHeaders(r *httputil.ProxyRequest) {
-	r.Out.Header.Set("X-Forwarded-Host", r.In.Host)
-	if r.In.TLS != nil {
-		r.Out.Header.Set("X-Forwarded-Proto", "https")
-	}
-	if c, ok := getServeHTTPContext(r.Out); ok {
-		r.Out.Header.Set("X-Forwarded-For", c.SrcAddr.Addr().String())
-	}
-}
-
-func (b *LocalBackend) addTailscaleIdentityHeaders(r *httputil.ProxyRequest) {
-	// Clear any incoming values squatting in the headers.
-	r.Out.Header.Del("Tailscale-User-Login")
-	r.Out.Header.Del("Tailscale-User-Name")
-	r.Out.Header.Del("Tailscale-Headers-Info")
-
-	c, ok := getServeHTTPContext(r.Out)
-	if !ok {
-		return
-	}
-	node, user, ok := b.WhoIs(c.SrcAddr)
-	if !ok {
-		return // traffic from outside of Tailnet (funneled)
-	}
-	if node.IsTagged() {
-		// 2023-06-14: Not setting identity headers for tagged nodes.
-		// Only currently set for nodes with user identities.
-		return
-	}
-	r.Out.Header.Set("Tailscale-User-Login", user.LoginName)
-	r.Out.Header.Set("Tailscale-User-Name", user.DisplayName)
-	r.Out.Header.Set("Tailscale-Headers-Info", "https://tailscale.com/s/serve-headers")
-}
-
 func (b *LocalBackend) serveWebHandler(w http.ResponseWriter, r *http.Request) {
 	h, mountPoint, ok := b.getServeHandler(r)
 	if !ok {
@@ -651,8 +599,8 @@ func allNumeric(s string) bool {
 	return s != ""
 }

-func (b *LocalBackend) webServerConfig(hostname string, port uint16) (c ipn.WebServerConfigView, ok bool) {
-	key := ipn.HostPort(fmt.Sprintf("%s:%v", hostname, port))
+func (b *LocalBackend) webServerConfig(sniName string, port uint16) (c ipn.WebServerConfigView, ok bool) {
+	key := ipn.HostPort(fmt.Sprintf("%s:%v", sniName, port))

 	b.mu.Lock()
 	defer b.mu.Unlock()
@@ -675,7 +623,7 @@ func (b *LocalBackend) getTLSServeCertForPort(port uint16) func(hi *tls.ClientHe

 		ctx, cancel := context.WithTimeout(context.Background(), time.Minute)
 		defer cancel()
-		pair, err := b.GetCertPEM(ctx, hi.ServerName, false)
+		pair, err := b.GetCertPEM(ctx, hi.ServerName)
 		if err != nil {
 			return nil, err
 		}
--- a/ipn/ipnlocal/serve_test.go
+++ b/ipn/ipnlocal/serve_test.go
@@ -10,22 +10,12 @@ import (
 	"fmt"
 	"net/http"
 	"net/http/httptest"
-	"net/netip"
 	"net/url"
 	"os"
 	"path/filepath"
-	"strings"
 	"testing"

 	"tailscale.com/ipn"
-	"tailscale.com/ipn/store/mem"
-	"tailscale.com/tailcfg"
-	"tailscale.com/tsd"
-	"tailscale.com/types/logid"
-	"tailscale.com/types/netmap"
-	"tailscale.com/util/cmpx"
-	"tailscale.com/util/must"
-	"tailscale.com/wgengine"
 )

 func TestExpandProxyArg(t *testing.T) {
@@ -150,7 +140,10 @@ func TestGetServeHandler(t *testing.T) {
 				},
 				TLS: &tls.ConnectionState{ServerName: serverName},
 			}
-			port := cmpx.Or(tt.port, 443)
+			port := tt.port
+			if port == 0 {
+				port = 443
+			}
 			req = req.WithContext(context.WithValue(req.Context(), serveHTTPContextKey{}, &serveHTTPContext{
 				DestPort: port,
 			}))
@@ -169,142 +162,6 @@ func TestGetServeHandler(t *testing.T) {
 	}
 }

-func TestServeHTTPProxy(t *testing.T) {
-	sys := &tsd.System{}
-	e, err := wgengine.NewUserspaceEngine(t.Logf, wgengine.Config{SetSubsystem: sys.Set})
-	if err != nil {
-		t.Fatal(err)
-	}
-	sys.Set(e)
-	sys.Set(new(mem.Store))
-	b, err := NewLocalBackend(t.Logf, logid.PublicID{}, sys, 0)
-	if err != nil {
-		t.Fatal(err)
-	}
-	defer b.Shutdown()
-	dir := t.TempDir()
-	b.SetVarRoot(dir)
-
-	pm := must.Get(newProfileManager(new(mem.Store), t.Logf))
-	pm.currentProfile = &ipn.LoginProfile{ID: "id0"}
-	b.pm = pm
-
-	b.netMap = &netmap.NetworkMap{
-		SelfNode: &tailcfg.Node{
-			Name: "example.ts.net",
-		},
-		UserProfiles: map[tailcfg.UserID]tailcfg.UserProfile{
-			tailcfg.UserID(1): {
-				LoginName:   "someone@example.com",
-				DisplayName: "Some One",
-			},
-		},
-	}
-	b.nodeByAddr = map[netip.Addr]*tailcfg.Node{
-		netip.MustParseAddr("100.150.151.152"): {
-			ComputedName: "some-peer",
-			User:         tailcfg.UserID(1),
-		},
-		netip.MustParseAddr("100.150.151.153"): {
-			ComputedName: "some-tagged-peer",
-			Tags:         []string{"tag:server", "tag:test"},
-			User:         tailcfg.UserID(1),
-		},
-	}
-
-	// Start test serve endpoint.
-	testServ := httptest.NewServer(http.HandlerFunc(
-		func(w http.ResponseWriter, r *http.Request) {
-			// Piping all the headers through the response writer
-			// so we can check their values in tests below.
-			for key, val := range r.Header {
-				w.Header().Add(key, strings.Join(val, ","))
-			}
-		},
-	))
-	defer testServ.Close()
-
-	conf := &ipn.ServeConfig{
-		Web: map[ipn.HostPort]*ipn.WebServerConfig{
-			"example.ts.net:443": {Handlers: map[string]*ipn.HTTPHandler{
-				"/": {Proxy: testServ.URL},
-			}},
-		},
-	}
-	if err := b.SetServeConfig(conf); err != nil {
-		t.Fatal(err)
-	}
-
-	type headerCheck struct {
-		header string
-		want   string
-	}
-
-	tests := []struct {
-		name        string
-		srcIP       string
-		wantHeaders []headerCheck
-	}{
-		{
-			name:  "request-from-user-within-tailnet",
-			srcIP: "100.150.151.152",
-			wantHeaders: []headerCheck{
-				{"X-Forwarded-Proto", "https"},
-				{"X-Forwarded-For", "100.150.151.152"},
-				{"Tailscale-User-Login", "someone@example.com"},
-				{"Tailscale-User-Name", "Some One"},
-				{"Tailscale-Headers-Info", "https://tailscale.com/s/serve-headers"},
-			},
-		},
-		{
-			name:  "request-from-tagged-node-within-tailnet",
-			srcIP: "100.150.151.153",
-			wantHeaders: []headerCheck{
-				{"X-Forwarded-Proto", "https"},
-				{"X-Forwarded-For", "100.150.151.153"},
-				{"Tailscale-User-Login", ""},
-				{"Tailscale-User-Name", ""},
-				{"Tailscale-Headers-Info", ""},
-			},
-		},
-		{
-			name:  "request-from-outside-tailnet",
-			srcIP: "100.160.161.162",
-			wantHeaders: []headerCheck{
-				{"X-Forwarded-Proto", "https"},
-				{"X-Forwarded-For", "100.160.161.162"},
-				{"Tailscale-User-Login", ""},
-				{"Tailscale-User-Name", ""},
-				{"Tailscale-Headers-Info", ""},
-			},
-		},
-	}
-
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			req := &http.Request{
-				URL: &url.URL{Path: "/"},
-				TLS: &tls.ConnectionState{ServerName: "example.ts.net"},
-			}
-			req = req.WithContext(context.WithValue(req.Context(), serveHTTPContextKey{}, &serveHTTPContext{
-				DestPort: 443,
-				SrcAddr:  netip.MustParseAddrPort(tt.srcIP + ":1234"), // random src port for tests
-			}))
-
-			w := httptest.NewRecorder()
-			b.serveWebHandler(w, req)
-
-			// Verify the headers.
-			h := w.Result().Header
-			for _, c := range tt.wantHeaders {
-				if got := h.Get(c.header); got != c.want {
-					t.Errorf("invalid %q header; want=%q, got=%q", c.header, c.want, got)
-				}
-			}
-		})
-	}
-}
-
 func TestServeFileOrDirectory(t *testing.T) {
 	td := t.TempDir()
 	writeFile := func(suffix, contents string) {
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
Shayne Sweeney	1dc9edde90	cmd/tailscale/cli: [web] update JS in web.html for Unraid support Signed-off-by: Shayne Sweeney <shayne@tailscale.com>	2023-05-16 20:34:30 -04:00
Derek Kaser	b15d8525d0	cmd/tailscale: allow Tailscale to work with Unraid web interface Updates tailscale/tailscale#8026 Signed-off-by: Derek Kaser <derek.kaser@gmail.com>	2023-05-06 22:35:02 -04:00
@@ -1 +1 @@
 .47.0
 .41.0