Experimental

Signed-off-by: Irbe Krumina <irbe@tailscale.com>
Try to pass config file to tailscaled
2024-01-05 09:14:02 +00:00 · 2024-01-05 05:55:41 +00:00 · 2024-01-04 19:23:26 +00:00 · 2024-01-04 12:37:13 +00:00 · 2024-01-04 12:27:21 +00:00 · 2024-01-04 12:27:12 +00:00
67 changed files with 1574 additions and 2726 deletions
--- a/.github/workflows/govulncheck.yml
+++ b/.github/workflows/govulncheck.yml
@@ -22,30 +22,17 @@ jobs:
      - name: Scan source code for known vulnerabilities
        run: PATH=$PWD/tool/:$PATH "$(./tool/go env GOPATH)/bin/govulncheck" -test ./...

-      - name: Post to slack
-        if: failure() && github.event_name == 'schedule'
-        uses: slackapi/slack-github-action@v1.24.0
-        env:
-          SLACK_BOT_TOKEN: ${{ secrets.GOVULNCHECK_BOT_TOKEN }}
+      - uses: ruby/action-slack@v3.2.1
        with:
-          channel-id: 'C05PXRM304B'
-          payload: |
+          payload: >
            {
-              "blocks": [
-                {
-                  "type": "section",
-                  "text": {
-                    "type": "mrkdwn",
-                    "text": "Govulncheck failed in ${{ github.repository }}"
-                  },
-                  "accessory": {
-                    "type": "button",
-                    "text": {
-                      "type": "plain_text",
-                      "text": "View results"
-                    },
-                    "url": "${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}"
-                  }
-                }
-              ]
+              "attachments": [{
+                "title": "${{ job.status }}: ${{ github.workflow }}",
+                "title_link": "https://github.com/${{ github.repository }}/commit/${{ github.sha }}/checks",
+                "text": "${{ github.repository }}@${{ github.sha }}",
+                "color": "danger"
+              }]
            }
+        env:
+          SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
+        if: failure() && github.event_name == 'schedule'
--- a/6
+++ b/6
@@ -18,8 +18,7 @@ updatedeps: ## Update depaware deps
 	PATH="$$(./tool/go env GOROOT)/bin:$$PATH" ./tool/go run github.com/tailscale/depaware --update \
 		tailscale.com/cmd/tailscaled \
 		tailscale.com/cmd/tailscale \
-		tailscale.com/cmd/derper \
-		tailscale.com/cmd/stund
+		tailscale.com/cmd/derper

 depaware: ## Run depaware checks
 	# depaware (via x/tools/go/packages) shells back to "go", so make sure the "go"
@@ -27,8 +26,7 @@ depaware: ## Run depaware checks
 	PATH="$$(./tool/go env GOROOT)/bin:$$PATH" ./tool/go run github.com/tailscale/depaware --check \
 		tailscale.com/cmd/tailscaled \
 		tailscale.com/cmd/tailscale \
-		tailscale.com/cmd/derper \
-		tailscale.com/cmd/stund
+		tailscale.com/cmd/derper

 buildwindows: ## Build tailscale CLI for windows/amd64
 	GOOS=windows GOARCH=amd64 ./tool/go install tailscale.com/cmd/tailscale tailscale.com/cmd/tailscaled
--- a/client/web/src/components/app.tsx
+++ b/client/web/src/components/app.tsx
@@ -5,7 +5,6 @@ import React from "react"
 import { ReactComponent as TailscaleIcon } from "src/assets/icons/tailscale-icon.svg"
 import LoginToggle from "src/components/login-toggle"
 import DeviceDetailsView from "src/components/views/device-details-view"
-import DisconnectedView from "src/components/views/disconnected-view"
 import HomeView from "src/components/views/home-view"
 import LoginView from "src/components/views/login-view"
 import SSHView from "src/components/views/ssh-view"
@@ -75,7 +74,9 @@ function WebClient({
            />
          </FeatureRoute>
          <Route path="/disconnected">
-            <DisconnectedView />
+            <Card className="mt-8">
+              <EmptyState description="You have been disconnected" />
+            </Card>
          </Route>
          <Route>
            <Card className="mt-8">
--- a/client/web/src/components/views/device-details-view.tsx
+++ b/client/web/src/components/views/device-details-view.tsx
@@ -226,22 +226,24 @@ function DisconnectDialog() {
  return (
    <Dialog
      className="max-w-md"
-      title="Log out"
-      trigger={<Button sizeVariant="small">Log out…</Button>}
+      title="Disconnect"
+      trigger={<Button sizeVariant="small">Disconnect…</Button>}
    >
      <Dialog.Form
        cancelButton
-        submitButton="Log out"
+        submitButton="Disconnect"
        destructive
        onSubmit={() => {
          api({ action: "logout" })
          setLocation("/disconnected")
        }}
      >
-        Logging out of this device will disconnect it from your tailnet and
-        expire its node key. You won’t be able to use this web interface until
-        you re-authenticate the device from either the Tailscale app or the
-        Tailscale command line interface.
+        You are about to disconnect this device from your tailnet. To reconnect,
+        you will be required to re-authenticate this device.
+        <p className="mt-4 text-sm text-text-muted">
+          Your connection to this web interface will end as soon as you click
+          disconnect.
+        </p>
      </Dialog.Form>
    </Dialog>
  )
--- a/client/web/src/components/views/disconnected-view.tsx
+++ b/client/web/src/components/views/disconnected-view.tsx
@@ -1,21 +0,0 @@
-// Copyright (c) Tailscale Inc & AUTHORS
-// SPDX-License-Identifier: BSD-3-Clause
-
-import React from "react"
-import { ReactComponent as TailscaleIcon } from "src/assets/icons/tailscale-icon.svg"
-
-/**
- * DisconnectedView is rendered after node logout.
- */
-export default function DisconnectedView() {
-  return (
-    <>
-      <TailscaleIcon className="mx-auto" />
-      <p className="mt-12 text-center text-text-muted">
-        You logged out of this device. To reconnect it you will have to
-        re-authenticate the device from either the Tailscale app or the
-        Tailscale command line interface.
-      </p>
-    </>
-  )
-}
--- a/client/web/web.go
+++ b/client/web/web.go
@@ -22,7 +22,7 @@ import (
 	"sync"
 	"time"

-	"github.com/tailscale/csrf"
+	"github.com/gorilla/csrf"
 	"tailscale.com/client/tailscale"
 	"tailscale.com/client/tailscale/apitype"
 	"tailscale.com/clientupdate"
@@ -176,12 +176,11 @@ func NewServer(opts ServerOpts) (s *Server, err error) {
 		waitAuthURL: opts.WaitAuthURL,
 	}
 	if opts.PathPrefix != "" {
-		// Enforce that path prefix always has a single leading '/'
-		// so that it is treated as a relative URL path.
-		// We strip multiple leading '/' to prevent schema-less offsite URLs like "//example.com".
-		//
-		// See https://github.com/tailscale/corp/issues/16268.
-		s.pathPrefix = "/" + strings.TrimLeft(path.Clean(opts.PathPrefix), "/\\")
+		// In enforcePrefix, we add the necessary leading '/'. If we did not
+		// strip 1 or more leading '/'s here, we would end up redirecting
+		// clients to e.g. //example.com (a schema-less URL that points to
+		// another site). See https://github.com/tailscale/corp/issues/16268.
+		s.pathPrefix = strings.TrimLeft(path.Clean(opts.PathPrefix), "/\\")
 	}
 	if s.mode == ManageServerMode {
 		if opts.NewAuthURL == nil {
--- a/client/web/web_test.go
+++ b/client/web/web_test.go
@@ -939,65 +939,36 @@ func TestServeAPIAuthMetricLogging(t *testing.T) {
 	}
 }

-// TestPathPrefix tests that the provided path prefix is normalized correctly.
-// If a leading '/' is missing, one should be added.
-// If multiple leading '/' are present, they should be collapsed to one.
-// Additionally verify that this prevents open redirects when enforcing the path prefix.
-func TestPathPrefix(t *testing.T) {
+func TestNoOffSiteRedirect(t *testing.T) {
+	options := ServerOpts{
+		Mode: LoginServerMode,
+		// Emulate the admin using a --prefix option with leading slashes:
+		PathPrefix: "//evil.example.com/goat",
+		CGIMode:    true,
+	}
+	s, err := NewServer(options)
+	if err != nil {
+		t.Error(err)
+	}
+
 	tests := []struct {
 		name         string
-		prefix       string
-		wantPrefix   string
+		target       string
+		wantHandled  bool
 		wantLocation string
 	}{
-		{
-			name:         "no-leading-slash",
-			prefix:       "javascript:alert(1)",
-			wantPrefix:   "/javascript:alert(1)",
-			wantLocation: "/javascript:alert(1)/",
-		},
 		{
 			name:   "2-slashes",
-			prefix: "//evil.example.com/goat",
+			target: "http://localhost//evil.example.com/goat",
 			// We must also get the trailing slash added:
-			wantPrefix:   "/evil.example.com/goat",
 			wantLocation: "/evil.example.com/goat/",
 		},
-		{
-			name:   "absolute-url",
-			prefix: "http://evil.example.com",
-			// We must also get the trailing slash added:
-			wantPrefix:   "/http:/evil.example.com",
-			wantLocation: "/http:/evil.example.com/",
-		},
-		{
-			name:   "double-dot",
-			prefix: "/../.././etc/passwd",
-			// We must also get the trailing slash added:
-			wantPrefix:   "/etc/passwd",
-			wantLocation: "/etc/passwd/",
-		},
 	}

 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
-			options := ServerOpts{
-				Mode:       LoginServerMode,
-				PathPrefix: tt.prefix,
-				CGIMode:    true,
-			}
-			s, err := NewServer(options)
-			if err != nil {
-				t.Error(err)
-			}
-
-			// verify provided prefix was normalized correctly
-			if s.pathPrefix != tt.wantPrefix {
-				t.Errorf("prefix was not normalized correctly; want=%q, got=%q", tt.wantPrefix, s.pathPrefix)
-			}
-
 			s.logf = t.Logf
-			r := httptest.NewRequest(httpm.GET, "http://localhost/", nil)
+			r := httptest.NewRequest(httpm.GET, tt.target, nil)
 			w := httptest.NewRecorder()
 			s.ServeHTTP(w, r)
 			res := w.Result()
@@ -1005,7 +976,7 @@ func TestPathPrefix(t *testing.T) {

 			location := w.Header().Get("Location")
 			if location != tt.wantLocation {
-				t.Errorf("request got wrong location; want=%q, got=%q", tt.wantLocation, location)
+				t.Errorf("request(%q) got wrong location; want=%q, got=%q", tt.target, tt.wantLocation, location)
 			}
 		})
 	}
--- a/cmd/containerboot/main.go
+++ b/cmd/containerboot/main.go
@@ -48,13 +48,6 @@
 //     ${TS_CERT_DOMAIN}, it will be replaced with the value of the available FQDN.
 //     It cannot be used in conjunction with TS_DEST_IP. The file is watched for changes,
 //     and will be re-applied when it changes.
-//   - EXPERIMENTAL_TS_CONFIGFILE_PATH: if specified, a path to tailscaled
-//     config. If this is set, TS_HOSTNAME, TS_EXTRA_ARGS, TS_AUTHKEY,
-//     TS_ROUTES, TS_ACCEPT_DNS env vars must not be set. If this is set,
-//     containerboot only runs `tailscaled --config <path-to-this-configfile>`
-//     and not `tailscale up` or `tailscale set`.
-//     The config file contents are currently read once on container start.
-//     NB: This env var is currently experimental and the logic will likely change!
 //
 // When running on Kubernetes, containerboot defaults to storing state in the
 // "tailscale" kube secret. To store state on local disk instead, set
@@ -90,7 +83,6 @@ import (
 	"golang.org/x/sys/unix"
 	"tailscale.com/client/tailscale"
 	"tailscale.com/ipn"
-	"tailscale.com/ipn/conffile"
 	"tailscale.com/tailcfg"
 	"tailscale.com/types/logger"
 	"tailscale.com/types/ptr"
@@ -110,29 +102,40 @@ func main() {
 	tailscale.I_Acknowledge_This_API_Is_Unstable = true

 	cfg := &settings{
-		AuthKey:                  defaultEnvs([]string{"TS_AUTHKEY", "TS_AUTH_KEY"}, ""),
-		Hostname:                 defaultEnv("TS_HOSTNAME", ""),
-		Routes:                   defaultEnvStringPointer("TS_ROUTES"),
-		ServeConfigPath:          defaultEnv("TS_SERVE_CONFIG", ""),
-		ProxyTo:                  defaultEnv("TS_DEST_IP", ""),
-		TailnetTargetIP:          defaultEnv("TS_TAILNET_TARGET_IP", ""),
-		TailnetTargetFQDN:        defaultEnv("TS_TAILNET_TARGET_FQDN", ""),
-		DaemonExtraArgs:          defaultEnv("TS_TAILSCALED_EXTRA_ARGS", ""),
-		ExtraArgs:                defaultEnv("TS_EXTRA_ARGS", ""),
-		InKubernetes:             os.Getenv("KUBERNETES_SERVICE_HOST") != "",
-		UserspaceMode:            defaultBool("TS_USERSPACE", true),
-		StateDir:                 defaultEnv("TS_STATE_DIR", ""),
-		AcceptDNS:                defaultEnvBoolPointer("TS_ACCEPT_DNS"),
-		KubeSecret:               defaultEnv("TS_KUBE_SECRET", "tailscale"),
-		SOCKSProxyAddr:           defaultEnv("TS_SOCKS5_SERVER", ""),
-		HTTPProxyAddr:            defaultEnv("TS_OUTBOUND_HTTP_PROXY_LISTEN", ""),
-		Socket:                   defaultEnv("TS_SOCKET", "/tmp/tailscaled.sock"),
-		AuthOnce:                 defaultBool("TS_AUTH_ONCE", false),
-		Root:                     defaultEnv("TS_TEST_ONLY_ROOT", "/"),
-		TailscaledConfigFilePath: defaultEnv("EXPERIMENTAL_TS_CONFIGFILE_PATH", ""),
+		AuthKey:           defaultEnvs([]string{"TS_AUTHKEY", "TS_AUTH_KEY"}, ""),
+		Hostname:          defaultEnv("TS_HOSTNAME", ""),
+		Routes:            defaultEnvPointer("TS_ROUTES"),
+		ServeConfigPath:   defaultEnv("TS_SERVE_CONFIG", ""),
+		ConfigFilePath:    defaultEnv("TS_CONFIGFILE_PATH", ""),
+		ProxyTo:           defaultEnv("TS_DEST_IP", ""),
+		TailnetTargetIP:   defaultEnv("TS_TAILNET_TARGET_IP", ""),
+		TailnetTargetFQDN: defaultEnv("TS_TAILNET_TARGET_FQDN", ""),
+		DaemonExtraArgs:   defaultEnv("TS_TAILSCALED_EXTRA_ARGS", ""),
+		ExtraArgs:         defaultEnv("TS_EXTRA_ARGS", ""),
+		InKubernetes:      os.Getenv("KUBERNETES_SERVICE_HOST") != "",
+		UserspaceMode:     defaultBool("TS_USERSPACE", true),
+		StateDir:          defaultEnv("TS_STATE_DIR", ""),
+		AcceptDNS:         defaultBool("TS_ACCEPT_DNS", false),
+		KubeSecret:        defaultEnv("TS_KUBE_SECRET", "tailscale"),
+		SOCKSProxyAddr:    defaultEnv("TS_SOCKS5_SERVER", ""),
+		HTTPProxyAddr:     defaultEnv("TS_OUTBOUND_HTTP_PROXY_LISTEN", ""),
+		Socket:            defaultEnv("TS_SOCKET", "/tmp/tailscaled.sock"),
+		AuthOnce:          defaultBool("TS_AUTH_ONCE", false),
+		Root:              defaultEnv("TS_TEST_ONLY_ROOT", "/"),
 	}
-	if err := cfg.validate(); err != nil {
-		log.Fatalf("invalid configuration: %v", err)
+
+	if cfg.ProxyTo != "" && cfg.UserspaceMode {
+		log.Fatal("TS_DEST_IP is not supported with TS_USERSPACE")
+	}
+
+	if cfg.TailnetTargetIP != "" && cfg.UserspaceMode {
+		log.Fatal("TS_TAILNET_TARGET_IP is not supported with TS_USERSPACE")
+	}
+	if cfg.TailnetTargetFQDN != "" && cfg.UserspaceMode {
+		log.Fatal("TS_TAILNET_TARGET_FQDN is not supported with TS_USERSPACE")
+	}
+	if cfg.TailnetTargetFQDN != "" && cfg.TailnetTargetIP != "" {
+		log.Fatal("Both TS_TAILNET_TARGET_IP and TS_TAILNET_FQDN cannot be set")
 	}

 	if !cfg.UserspaceMode {
@@ -169,7 +172,7 @@ func main() {
 		}
 		cfg.KubernetesCanPatch = canPatch

-		if cfg.AuthKey == "" && !isOneStepConfig(cfg) {
+		if cfg.AuthKey == "" {
 			key, err := findKeyInKubeSecret(bootCtx, cfg.KubeSecret)
 			if err != nil {
 				log.Fatalf("Getting authkey from kube secret: %v", err)
@@ -251,7 +254,7 @@ func main() {
 		return nil
 	}

-	if isTwoStepConfigAlwaysAuth(cfg) {
+	if !cfg.AuthOnce {
 		if err := authTailscale(); err != nil {
 			log.Fatalf("failed to auth tailscale: %v", err)
 		}
@@ -267,13 +270,6 @@ authLoop:
 		if n.State != nil {
 			switch *n.State {
 			case ipn.NeedsLogin:
-				if isOneStepConfig(cfg) {
-					// This could happen if this is the
-					// first time tailscaled was run for
-					// this device and the auth key was not
-					// passed via the configfile.
-					log.Fatalf("invalid state: tailscaled daemon started with a config file, but tailscale is not logged in: ensure you pass a valid auth key in the config file.")
-				}
 				if err := authTailscale(); err != nil {
 					log.Fatalf("failed to auth tailscale: %v", err)
 				}
@@ -298,13 +294,13 @@ authLoop:
 	ctx, cancel := contextWithExitSignalWatch()
 	defer cancel()

-	if isTwoStepConfigAuthOnce(cfg) {
-		// Now that we are authenticated, we can set/reset any of the
-		// settings that we need to.
-		if err := tailscaleSet(ctx, cfg); err != nil {
-			log.Fatalf("failed to auth tailscale: %v", err)
-		}
-	}
+	// if cfg.AuthOnce {
+	// 	// Now that we are authenticated, we can set/reset any of the
+	// 	// settings that we need to.
+	// 	// if err := tailscaleSet(ctx, cfg); err != nil {
+	// 	// 	log.Fatalf("failed to auth tailscale: %v", err)
+	// 	// }
+	// }

 	if cfg.ServeConfigPath != "" {
 		// Remove any serve config that may have been set by a previous run of
@@ -314,14 +310,14 @@ authLoop:
 		}
 	}

-	if cfg.InKubernetes && cfg.KubeSecret != "" && cfg.KubernetesCanPatch && isTwoStepConfigAuthOnce(cfg) {
+	if cfg.InKubernetes && cfg.KubeSecret != "" && cfg.KubernetesCanPatch && cfg.AuthOnce {
 		// We were told to only auth once, so any secret-bound
 		// authkey is no longer needed. We don't strictly need to
 		// wipe it, but it's good hygiene.
-		log.Printf("Deleting authkey from kube secret")
-		if err := deleteAuthKey(ctx, cfg.KubeSecret); err != nil {
-			log.Fatalf("deleting authkey from kube secret: %v", err)
-		}
+		// log.Printf("Deleting authkey from kube secret")
+		// if err := deleteAuthKey(ctx, cfg.KubeSecret); err != nil {
+		// 	log.Fatalf("deleting authkey from kube secret: %v", err)
+		// }
 	}

 	w, err = client.WatchIPNBus(ctx, ipn.NotifyInitialNetMap|ipn.NotifyInitialState)
@@ -639,46 +635,52 @@ func tailscaledArgs(cfg *settings) []string {
 	if cfg.HTTPProxyAddr != "" {
 		args = append(args, "--outbound-http-proxy-listen="+cfg.HTTPProxyAddr)
 	}
-	if cfg.TailscaledConfigFilePath != "" {
-		args = append(args, "--config="+cfg.TailscaledConfigFilePath)
-	}
 	if cfg.DaemonExtraArgs != "" {
 		args = append(args, strings.Fields(cfg.DaemonExtraArgs)...)
 	}
+	if cfg.ConfigFilePath != "" {
+		args = append(args, "--config="+cfg.ConfigFilePath)
+	}
 	return args
 }

 // tailscaleUp uses cfg to run 'tailscale up' everytime containerboot starts, or
 // if TS_AUTH_ONCE is set, only the first time containerboot starts.
 func tailscaleUp(ctx context.Context, cfg *settings) error {
-	args := []string{"--socket=" + cfg.Socket, "up"}
-	if cfg.AcceptDNS != nil && *cfg.AcceptDNS {
-		args = append(args, "--accept-dns=true")
-	} else {
-		args = append(args, "--accept-dns=false")
+	command := "up"
+	if cfg.ConfigFilePath != "" {
+		command = "login"
 	}
+	args := []string{"--socket=" + cfg.Socket, command}
 	if cfg.AuthKey != "" {
 		args = append(args, "--authkey="+cfg.AuthKey)
 	}
-	// --advertise-routes can be passed an empty string to configure a
-	// device (that might have previously advertised subnet routes) to not
-	// advertise any routes. Respect an empty string passed by a user and
-	// use it to explicitly unset the routes.
-	if cfg.Routes != nil {
-		args = append(args, "--advertise-routes="+*cfg.Routes)
+	if cfg.ConfigFilePath == "" {
+		if cfg.AcceptDNS {
+			args = append(args, "--accept-dns=true")
+		} else {
+			args = append(args, "--accept-dns=false")
+		}
+		// --advertise-routes can be passed an empty string to configure a
+		// device (that might have previously advertised subnet routes) to not
+		// advertise any routes. Respect an empty string passed by a user and
+		// use it to explicitly unset the routes.
+		if cfg.Routes != nil {
+			args = append(args, "--advertise-routes="+*cfg.Routes)
+		}
+		if cfg.Hostname != "" {
+			args = append(args, "--hostname="+cfg.Hostname)
+		}
+		if cfg.ExtraArgs != "" {
+			args = append(args, strings.Fields(cfg.ExtraArgs)...)
+		}
 	}
-	if cfg.Hostname != "" {
-		args = append(args, "--hostname="+cfg.Hostname)
-	}
-	if cfg.ExtraArgs != "" {
-		args = append(args, strings.Fields(cfg.ExtraArgs)...)
-	}
-	log.Printf("Running 'tailscale up'")
+	log.Printf("Running 'tailscale %s' with args %#+v", command, args)
 	cmd := exec.CommandContext(ctx, "tailscale", args...)
 	cmd.Stdout = os.Stdout
 	cmd.Stderr = os.Stderr
 	if err := cmd.Run(); err != nil {
-		return fmt.Errorf("tailscale up failed: %v", err)
+		log.Printf("tailscale up with args %#+v failed: %v", args, err)
 	}
 	return nil
 }
@@ -686,32 +688,35 @@ func tailscaleUp(ctx context.Context, cfg *settings) error {
 // tailscaleSet uses cfg to run 'tailscale set' to set any known configuration
 // options that are passed in via environment variables. This is run after the
 // node is in Running state and only if TS_AUTH_ONCE is set.
-func tailscaleSet(ctx context.Context, cfg *settings) error {
-	args := []string{"--socket=" + cfg.Socket, "set"}
-	if cfg.AcceptDNS != nil && *cfg.AcceptDNS {
-		args = append(args, "--accept-dns=true")
-	} else {
-		args = append(args, "--accept-dns=false")
-	}
-	// --advertise-routes can be passed an empty string to configure a
-	// device (that might have previously advertised subnet routes) to not
-	// advertise any routes. Respect an empty string passed by a user and
-	// use it to explicitly unset the routes.
-	if cfg.Routes != nil {
-		args = append(args, "--advertise-routes="+*cfg.Routes)
-	}
-	if cfg.Hostname != "" {
-		args = append(args, "--hostname="+cfg.Hostname)
-	}
-	log.Printf("Running 'tailscale set'")
-	cmd := exec.CommandContext(ctx, "tailscale", args...)
-	cmd.Stdout = os.Stdout
-	cmd.Stderr = os.Stderr
-	if err := cmd.Run(); err != nil {
-		return fmt.Errorf("tailscale set failed: %v", err)
-	}
-	return nil
-}
+// func tailscaleSet(ctx context.Context, cfg *settings) error {
+// 	args := []string{"--socket=" + cfg.Socket, "set"}
+// 	// TODO: fix
+// 	if cfg.ConfigFilePath == "" {
+// 		if cfg.AcceptDNS {
+// 			args = append(args, "--accept-dns=true")
+// 		} else {
+// 			args = append(args, "--accept-dns=false")
+// 		}
+// 		// --advertise-routes can be passed an empty string to configure a
+// 		// device (that might have previously advertised subnet routes) to not
+// 		// advertise any routes. Respect an empty string passed by a user and
+// 		// use it to explicitly unset the routes.
+// 		if cfg.Routes != nil {
+// 			args = append(args, "--advertise-routes="+*cfg.Routes)
+// 		}
+// 		if cfg.Hostname != "" {
+// 			args = append(args, "--hostname="+cfg.Hostname)
+// 		}
+// 	}
+// 	log.Printf("Running 'tailscale set'")
+// 	cmd := exec.CommandContext(ctx, "tailscale", args...)
+// 	cmd.Stdout = os.Stdout
+// 	cmd.Stderr = os.Stderr
+// 	if err := cmd.Run(); err != nil {
+// 		return fmt.Errorf("tailscale set failed: %v", err)
+// 	}
+// 	return nil
+// }

 // ensureTunFile checks that /dev/net/tun exists, creating it if
 // missing.
@@ -881,46 +886,22 @@ type settings struct {
 	// TailnetTargetFQDN is an MagicDNS name to which all incoming
 	// non-Tailscale traffic should be proxied. This must be a full Tailnet
 	// node FQDN.
-	TailnetTargetFQDN        string
-	ServeConfigPath          string
-	DaemonExtraArgs          string
-	ExtraArgs                string
-	InKubernetes             bool
-	UserspaceMode            bool
-	StateDir                 string
-	AcceptDNS                *bool
-	KubeSecret               string
-	SOCKSProxyAddr           string
-	HTTPProxyAddr            string
-	Socket                   string
-	AuthOnce                 bool
-	Root                     string
-	KubernetesCanPatch       bool
-	TailscaledConfigFilePath string
-}
-
-func (s *settings) validate() error {
-	if s.TailscaledConfigFilePath != "" {
-		if _, err := conffile.Load(s.TailscaledConfigFilePath); err != nil {
-			return fmt.Errorf("error validating tailscaled configfile contents: %w", err)
-		}
-	}
-	if s.ProxyTo != "" && s.UserspaceMode {
-		return errors.New("TS_DEST_IP is not supported with TS_USERSPACE")
-	}
-	if s.TailnetTargetIP != "" && s.UserspaceMode {
-		return errors.New("TS_TAILNET_TARGET_IP is not supported with TS_USERSPACE")
-	}
-	if s.TailnetTargetFQDN != "" && s.UserspaceMode {
-		return errors.New("TS_TAILNET_TARGET_FQDN is not supported with TS_USERSPACE")
-	}
-	if s.TailnetTargetFQDN != "" && s.TailnetTargetIP != "" {
-		return errors.New("Both TS_TAILNET_TARGET_IP and TS_TAILNET_FQDN cannot be set")
-	}
-	if s.TailscaledConfigFilePath != "" && (s.AcceptDNS != nil || s.AuthKey != "" || s.Routes != nil || s.ExtraArgs != "" || s.Hostname != "") {
-		return errors.New("EXPERIMENTAL_TS_CONFIGFILE_PATH cannot be set in combination with TS_HOSTNAME, TS_EXTRA_ARGS, TS_AUTHKEY, TS_ROUTES, TS_ACCEPT_DNS.")
-	}
-	return nil
+	TailnetTargetFQDN  string
+	ServeConfigPath    string
+	DaemonExtraArgs    string
+	ExtraArgs          string
+	InKubernetes       bool
+	UserspaceMode      bool
+	StateDir           string
+	AcceptDNS          bool
+	KubeSecret         string
+	SOCKSProxyAddr     string
+	HTTPProxyAddr      string
+	Socket             string
+	AuthOnce           bool
+	Root               string
+	KubernetesCanPatch bool
+	ConfigFilePath     string
 }

 // defaultEnv returns the value of the given envvar name, or defVal if
@@ -932,28 +913,16 @@ func defaultEnv(name, defVal string) string {
 	return defVal
 }

-// defaultEnvStringPointer returns a pointer to the given envvar value if set, else
+// defaultEnvPointer returns a pointer to the given envvar value if set, else
 // returns nil. This is useful in cases where we need to distinguish between a
 // variable being set to empty string vs unset.
-func defaultEnvStringPointer(name string) *string {
+func defaultEnvPointer(name string) *string {
 	if v, ok := os.LookupEnv(name); ok {
 		return &v
 	}
 	return nil
 }

-// defaultEnvBoolPointer returns a pointer to the given envvar value if set, else
-// returns nil. This is useful in cases where we need to distinguish between a
-// variable being explicitly set to false vs unset.
-func defaultEnvBoolPointer(name string) *bool {
-	v := os.Getenv(name)
-	ret, err := strconv.ParseBool(v)
-	if err != nil {
-		return nil
-	}
-	return &ret
-}
-
 func defaultEnvs(names []string, defVal string) string {
 	for _, name := range names {
 		if v, ok := os.LookupEnv(name); ok {
@@ -995,27 +964,3 @@ func contextWithExitSignalWatch() (context.Context, func()) {
 	}
 	return ctx, f
 }
-
-// isTwoStepConfigAuthOnce returns true if the Tailscale node should be configured
-// in two steps and login should only happen once.
-// Step 1: run 'tailscaled'
-// Step 2):
-// A) if this is the first time starting this node run 'tailscale up --authkey <authkey> <config opts>'
-// B) if this is not the first time starting this node run 'tailscale set <config opts>'.
-func isTwoStepConfigAuthOnce(cfg *settings) bool {
-	return cfg.AuthOnce && cfg.TailscaledConfigFilePath == ""
-}
-
-// isTwoStepConfigAlwaysAuth returns true if the Tailscale node should be configured
-// in two steps and we should log in every time it starts.
-// Step 1: run 'tailscaled'
-// Step 2): run 'tailscale up --authkey <authkey> <config opts>'
-func isTwoStepConfigAlwaysAuth(cfg *settings) bool {
-	return !cfg.AuthOnce && cfg.TailscaledConfigFilePath == ""
-}
-
-// isOneStepConfig returns true if the Tailscale node should always be ran and
-// configured in a single step by running 'tailscaled <config opts>'
-func isOneStepConfig(cfg *settings) bool {
-	return cfg.TailscaledConfigFilePath != ""
-}
--- a/cmd/containerboot/main_test.go
+++ b/cmd/containerboot/main_test.go
@@ -52,12 +52,6 @@ func TestContainerBoot(t *testing.T) {
 	}
 	defer kube.Close()

-	tailscaledConf := &ipn.ConfigVAlpha{AuthKey: func(s string) *string { return &s }("foo"), Version: "alpha0"}
-	tailscaledConfBytes, err := json.Marshal(tailscaledConf)
-	if err != nil {
-		t.Fatalf("error unmarshaling tailscaled config: %v", err)
-	}
-
 	dirs := []string{
 		"var/lib",
 		"usr/bin",
@@ -65,7 +59,6 @@ func TestContainerBoot(t *testing.T) {
 		"dev/net",
 		"proc/sys/net/ipv4",
 		"proc/sys/net/ipv6/conf/all",
-		"etc",
 	}
 	for _, path := range dirs {
 		if err := os.MkdirAll(filepath.Join(d, path), 0700); err != nil {
@@ -80,7 +73,6 @@ func TestContainerBoot(t *testing.T) {
 		"dev/net/tun":                           []byte(""),
 		"proc/sys/net/ipv4/ip_forward":          []byte("0"),
 		"proc/sys/net/ipv6/conf/all/forwarding": []byte("0"),
-		"etc/tailscaled":                        tailscaledConfBytes,
 	}
 	resetFiles := func() {
 		for path, content := range files {
@@ -318,7 +310,7 @@ func TestContainerBoot(t *testing.T) {
 			},
 		},
 		{
-			Name: "ingress proxy",
+			Name: "ingres proxy",
 			Env: map[string]string{
 				"TS_AUTHKEY":   "tskey-key",
 				"TS_DEST_IP":   "1.2.3.4",
@@ -637,21 +629,6 @@ func TestContainerBoot(t *testing.T) {
 				},
 			},
 		},
-		{
-			Name: "experimental tailscaled configfile",
-			Env: map[string]string{
-				"EXPERIMENTAL_TS_CONFIGFILE_PATH": filepath.Join(d, "etc/tailscaled"),
-			},
-			Phases: []phase{
-				{
-					WantCmds: []string{
-						"/usr/bin/tailscaled --socket=/tmp/tailscaled.sock --state=mem: --statedir=/tmp --tun=userspace-networking --config=/etc/tailscaled",
-					},
-				}, {
-					Notify: runningNotify,
-				},
-			},
-		},
 	}

 	for _, test := range tests {
--- a/cmd/derper/depaware.txt
+++ b/cmd/derper/depaware.txt
@@ -105,8 +105,7 @@ tailscale.com/cmd/derper dependencies: (generated by github.com/tailscale/depawa
        tailscale.com/net/netutil                                    from tailscale.com/client/tailscale
        tailscale.com/net/packet                                     from tailscale.com/wgengine/filter
        tailscale.com/net/sockstats                                  from tailscale.com/derp/derphttp
-        tailscale.com/net/stun                                       from tailscale.com/net/stunserver
-        tailscale.com/net/stunserver                                 from tailscale.com/cmd/derper
+        tailscale.com/net/stun                                       from tailscale.com/cmd/derper
   L    tailscale.com/net/tcpinfo                                    from tailscale.com/derp
        tailscale.com/net/tlsdial                                    from tailscale.com/derp/derphttp
        tailscale.com/net/tsaddr                                     from tailscale.com/ipn+
@@ -153,7 +152,6 @@ tailscale.com/cmd/derper dependencies: (generated by github.com/tailscale/depawa
        tailscale.com/util/set                                       from tailscale.com/health+
        tailscale.com/util/singleflight                              from tailscale.com/net/dnscache
        tailscale.com/util/slicesx                                   from tailscale.com/cmd/derper+
-        tailscale.com/util/syspolicy                                 from tailscale.com/ipn
        tailscale.com/util/vizerror                                  from tailscale.com/tsweb+
   W 💣 tailscale.com/util/winutil                                   from tailscale.com/hostinfo+
        tailscale.com/version                                        from tailscale.com/derp+
@@ -233,7 +231,7 @@ tailscale.com/cmd/derper dependencies: (generated by github.com/tailscale/depawa
        encoding/pem                                                 from crypto/tls+
        errors                                                       from bufio+
        expvar                                                       from tailscale.com/cmd/derper+
-        flag                                                         from tailscale.com/cmd/derper+
+        flag                                                         from tailscale.com/cmd/derper
        fmt                                                          from compress/flate+
        go/token                                                     from google.golang.org/protobuf/internal/strs
        hash                                                         from crypto+
@@ -264,7 +262,6 @@ tailscale.com/cmd/derper dependencies: (generated by github.com/tailscale/depawa
        net/url                                                      from crypto/x509+
        os                                                           from crypto/rand+
        os/exec                                                      from golang.zx2c4.com/wireguard/windows/tunnel/winipcfg+
-        os/signal                                                    from tailscale.com/cmd/derper
   W    os/user                                                      from tailscale.com/util/winutil
        path                                                         from golang.org/x/crypto/acme/autocert+
        path/filepath                                                from crypto/x509+
@@ -274,7 +271,7 @@ tailscale.com/cmd/derper dependencies: (generated by github.com/tailscale/depawa
        runtime/debug                                                from golang.org/x/crypto/acme+
        runtime/metrics                                              from github.com/prometheus/client_golang/prometheus+
        runtime/pprof                                                from net/http/pprof
-        runtime/trace                                                from net/http/pprof+
+        runtime/trace                                                from net/http/pprof
        slices                                                       from tailscale.com/ipn/ipnstate+
        sort                                                         from compress/flate+
        strconv                                                      from compress/flate+
@@ -282,7 +279,6 @@ tailscale.com/cmd/derper dependencies: (generated by github.com/tailscale/depawa
        sync                                                         from compress/flate+
        sync/atomic                                                  from context+
        syscall                                                      from crypto/rand+
-        testing                                                      from tailscale.com/util/syspolicy
        text/tabwriter                                               from runtime/pprof
        time                                                         from compress/gzip+
        unicode                                                      from bytes+
--- a/cmd/derper/derper.go
+++ b/cmd/derper/derper.go
@@ -17,12 +17,11 @@ import (
 	"math"
 	"net"
 	"net/http"
+	"net/netip"
 	"os"
-	"os/signal"
 	"path/filepath"
 	"regexp"
 	"strings"
-	"syscall"
 	"time"

 	"go4.org/mem"
@@ -31,7 +30,7 @@ import (
 	"tailscale.com/derp"
 	"tailscale.com/derp/derphttp"
 	"tailscale.com/metrics"
-	"tailscale.com/net/stunserver"
+	"tailscale.com/net/stun"
 	"tailscale.com/tsweb"
 	"tailscale.com/types/key"
 	"tailscale.com/util/cmpx"
@@ -60,11 +59,25 @@ var (
 )

 var (
+	stats             = new(metrics.Set)
+	stunDisposition   = &metrics.LabelMap{Label: "disposition"}
+	stunAddrFamily    = &metrics.LabelMap{Label: "family"}
 	tlsRequestVersion = &metrics.LabelMap{Label: "version"}
 	tlsActiveVersion  = &metrics.LabelMap{Label: "version"}
+
+	stunReadError  = stunDisposition.Get("read_error")
+	stunNotSTUN    = stunDisposition.Get("not_stun")
+	stunWriteError = stunDisposition.Get("write_error")
+	stunSuccess    = stunDisposition.Get("success")
+
+	stunIPv4 = stunAddrFamily.Get("ipv4")
+	stunIPv6 = stunAddrFamily.Get("ipv6")
 )

 func init() {
+	stats.Set("counter_requests", stunDisposition)
+	stats.Set("counter_addrfamily", stunAddrFamily)
+	expvar.Publish("stun", stats)
 	expvar.Publish("derper_tls_request_version", tlsRequestVersion)
 	expvar.Publish("gauge_derper_tls_active_version", tlsActiveVersion)
 }
@@ -122,9 +135,6 @@ func writeNewConfig() config {
 func main() {
 	flag.Parse()

-	ctx, cancel := signal.NotifyContext(context.Background(), syscall.SIGINT, syscall.SIGTERM)
-	defer cancel()
-
 	if *dev {
 		*addr = ":3340" // above the keys DERP
 		log.Printf("Running in dev mode.")
@@ -136,11 +146,6 @@ func main() {
 		log.Fatalf("invalid server address: %v", err)
 	}

-	if *runSTUN {
-		ss := stunserver.New(ctx)
-		go ss.ListenAndServe(net.JoinHostPort(listenHost, fmt.Sprint(*stunPort)))
-	}
-
 	cfg := loadConfig()

 	serveTLS := tsweb.IsProd443(*addr) || *certMode == "manual"
@@ -216,6 +221,10 @@ func main() {
 	}))
 	debug.Handle("traffic", "Traffic check", http.HandlerFunc(s.ServeDebugTraffic))

+	if *runSTUN {
+		go serveSTUN(listenHost, *stunPort)
+	}
+
 	quietLogger := log.New(logFilter{}, "", 0)
 	httpsrv := &http.Server{
 		Addr:     *addr,
@@ -232,10 +241,6 @@ func main() {
 		ReadTimeout:  30 * time.Second,
 		WriteTimeout: 30 * time.Second,
 	}
-	go func() {
-		<-ctx.Done()
-		httpsrv.Shutdown(ctx)
-	}()

 	if serveTLS {
 		log.Printf("derper: serving on %s with TLS", *addr)
@@ -346,6 +351,59 @@ func probeHandler(w http.ResponseWriter, r *http.Request) {
 	}
 }

+func serveSTUN(host string, port int) {
+	pc, err := net.ListenPacket("udp", net.JoinHostPort(host, fmt.Sprint(port)))
+	if err != nil {
+		log.Fatalf("failed to open STUN listener: %v", err)
+	}
+	log.Printf("running STUN server on %v", pc.LocalAddr())
+	serverSTUNListener(context.Background(), pc.(*net.UDPConn))
+}
+
+func serverSTUNListener(ctx context.Context, pc *net.UDPConn) {
+	var buf [64 << 10]byte
+	var (
+		n   int
+		ua  *net.UDPAddr
+		err error
+	)
+	for {
+		n, ua, err = pc.ReadFromUDP(buf[:])
+		if err != nil {
+			if ctx.Err() != nil {
+				return
+			}
+			log.Printf("STUN ReadFrom: %v", err)
+			time.Sleep(time.Second)
+			stunReadError.Add(1)
+			continue
+		}
+		pkt := buf[:n]
+		if !stun.Is(pkt) {
+			stunNotSTUN.Add(1)
+			continue
+		}
+		txid, err := stun.ParseBindingRequest(pkt)
+		if err != nil {
+			stunNotSTUN.Add(1)
+			continue
+		}
+		if ua.IP.To4() != nil {
+			stunIPv4.Add(1)
+		} else {
+			stunIPv6.Add(1)
+		}
+		addr, _ := netip.AddrFromSlice(ua.IP)
+		res := stun.Response(txid, netip.AddrPortFrom(addr, uint16(ua.Port)))
+		_, err = pc.WriteTo(res, ua)
+		if err != nil {
+			stunWriteError.Add(1)
+		} else {
+			stunSuccess.Add(1)
+		}
+	}
+}
+
 var validProdHostname = regexp.MustCompile(`^derp([^.]*)\.tailscale\.com\.?$`)

 func prodAutocertHostPolicy(_ context.Context, host string) error {
--- a/cmd/derper/derper_test.go
+++ b/cmd/derper/derper_test.go
@@ -5,11 +5,13 @@ package main

 import (
 	"context"
+	"net"
 	"net/http"
 	"net/http/httptest"
 	"strings"
 	"testing"

+	"tailscale.com/net/stun"
 	"tailscale.com/tstest/deptest"
 )

@@ -37,6 +39,38 @@ func TestProdAutocertHostPolicy(t *testing.T) {
 	}
 }

+func BenchmarkServerSTUN(b *testing.B) {
+	b.ReportAllocs()
+	pc, err := net.ListenPacket("udp", "127.0.0.1:0")
+	if err != nil {
+		b.Fatal(err)
+	}
+	defer pc.Close()
+	ctx, cancel := context.WithCancel(context.Background())
+	defer cancel()
+	go serverSTUNListener(ctx, pc.(*net.UDPConn))
+	addr := pc.LocalAddr().(*net.UDPAddr)
+
+	var resBuf [1500]byte
+	cc, err := net.ListenUDP("udp", &net.UDPAddr{IP: net.ParseIP("127.0.0.1")})
+	if err != nil {
+		b.Fatal(err)
+	}
+
+	tx := stun.NewTxID()
+	req := stun.Request(tx)
+	for i := 0; i < b.N; i++ {
+		if _, err := cc.WriteToUDP(req, addr); err != nil {
+			b.Fatal(err)
+		}
+		_, _, err := cc.ReadFromUDP(resBuf[:])
+		if err != nil {
+			b.Fatal(err)
+		}
+	}
+
+}
+
 func TestNoContent(t *testing.T) {
 	testCases := []struct {
 		name  string
--- a/cmd/k8s-operator/connector.go
+++ b/cmd/k8s-operator/connector.go
@@ -7,6 +7,7 @@ package main

 import (
 	"context"
+	"encoding/json"
 	"fmt"
 	"net/netip"
 	"slices"
@@ -24,8 +25,10 @@ import (
 	"k8s.io/client-go/tools/record"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 	"sigs.k8s.io/controller-runtime/pkg/reconcile"
+	"tailscale.com/ipn"
 	tsoperator "tailscale.com/k8s-operator"
 	tsapi "tailscale.com/k8s-operator/apis/v1alpha1"
+	"tailscale.com/net/netutil"
 	"tailscale.com/tstime"
 	"tailscale.com/util/clientmetric"
 	"tailscale.com/util/set"
@@ -39,8 +42,9 @@ const (
 	reasonConnectorCleanupInProgress = "ConnectorCleanupInProgress"
 	reasonConnectorInvalid           = "ConnectorInvalid"

-	messageConnectorCreationFailed = "Failed creating Connector: %v"
-	messageConnectorInvalid        = "Connector is invalid: %v"
+	messageConnectorCreationFailed   = "Failed creating Connector: %v"
+	messageConnectorInvalid          = "Connector is invalid: %v"
+	messageSubnetRouterCleanupFailed = "Failed cleaning up Connector resources: %v"

 	shortRequeue = time.Second * 5
 )
@@ -58,20 +62,15 @@ type ConnectorReconciler struct {

 	mu sync.Mutex // protects following

-	subnetRouters set.Slice[types.UID] // for subnet routers gauge
-	exitNodes     set.Slice[types.UID] // for exit nodes gauge
+	connectors set.Slice[types.UID] // for connectors gauge
 }

 var (
-	// gaugeConnectorResources tracks the overall number of Connectors currently managed by this operator instance.
+	// gaugeConnectorResources tracks the number of Connectors currently managed by this operator instance
 	gaugeConnectorResources = clientmetric.NewGauge("k8s_connector_resources")
-	// gaugeConnectorSubnetRouterResources tracks the number of Connectors managed by this operator instance that are subnet routers.
-	gaugeConnectorSubnetRouterResources = clientmetric.NewGauge("k8s_connector_subnetrouter_resources")
-	// gaugeConnectorExitNodeResources tracks the number of Connectors currently managed by this operator instance that are exit nodes.
-	gaugeConnectorExitNodeResources = clientmetric.NewGauge("k8s_connector_exitnode_resources")
 )

-func (a *ConnectorReconciler) Reconcile(ctx context.Context, req reconcile.Request) (res reconcile.Result, err error) {
+func (a *ConnectorReconciler) Reconcile(ctx context.Context, req reconcile.Request) (_ reconcile.Result, err error) {
 	logger := a.logger.With("Connector", req.Name)
 	logger.Debugf("starting reconcile")
 	defer logger.Debugf("reconcile finished")
@@ -107,17 +106,21 @@ func (a *ConnectorReconciler) Reconcile(ctx context.Context, req reconcile.Reque
 		return reconcile.Result{}, nil
 	}

+	var (
+		reason, message string
+		readyStatus     metav1.ConditionStatus
+	)
+
 	oldCnStatus := cn.Status.DeepCopy()
-	setStatus := func(cn *tsapi.Connector, conditionType tsapi.ConnectorConditionType, status metav1.ConditionStatus, reason, message string) (reconcile.Result, error) {
-		tsoperator.SetConnectorCondition(cn, tsapi.ConnectorReady, status, reason, message, cn.Generation, a.clock, logger)
+	defer func() {
+		tsoperator.SetConnectorCondition(cn, tsapi.ConnectorReady, readyStatus, reason, message, cn.Generation, a.clock, logger)
 		if !apiequality.Semantic.DeepEqual(oldCnStatus, cn.Status) {
 			// An error encountered here should get returned by the Reconcile function.
 			if updateErr := a.Client.Status().Update(ctx, cn); updateErr != nil {
-				err = errors.Wrap(err, updateErr.Error())
+				err = updateErr
 			}
 		}
-		return res, err
-	}
+	}()

 	if !slices.Contains(cn.Finalizers, FinalizerName) {
 		// This log line is printed exactly once during initial provisioning,
@@ -127,33 +130,43 @@ func (a *ConnectorReconciler) Reconcile(ctx context.Context, req reconcile.Reque
 		logger.Infof("ensuring Connector is set up")
 		cn.Finalizers = append(cn.Finalizers, FinalizerName)
 		if err := a.Update(ctx, cn); err != nil {
-			logger.Errorf("error adding finalizer: %w", err)
-			return setStatus(cn, tsapi.ConnectorReady, metav1.ConditionFalse, reasonConnectorCreationFailed, reasonConnectorCreationFailed)
+			err = fmt.Errorf("failed to add finalizer: %w", err)
+			logger.Errorf("error adding finalizer: %v", err)
+			reason = reasonConnectorCreationFailed
+			message = fmt.Sprintf(messageConnectorCreationFailed, err)
+			readyStatus = metav1.ConditionFalse
+			return reconcile.Result{}, err
 		}
 	}

 	if err := a.validate(cn); err != nil {
 		logger.Errorf("error validating Connector spec: %w", err)
-		message := fmt.Sprintf(messageConnectorInvalid, err)
+		reason = reasonConnectorInvalid
+		message = fmt.Sprintf(messageConnectorInvalid, err)
+		readyStatus = metav1.ConditionFalse
 		a.recorder.Eventf(cn, corev1.EventTypeWarning, reasonConnectorInvalid, message)
-		return setStatus(cn, tsapi.ConnectorReady, metav1.ConditionFalse, reasonConnectorInvalid, message)
+		return reconcile.Result{}, nil
 	}

 	if err = a.maybeProvisionConnector(ctx, logger, cn); err != nil {
 		logger.Errorf("error creating Connector resources: %w", err)
-		message := fmt.Sprintf(messageConnectorCreationFailed, err)
-		a.recorder.Eventf(cn, corev1.EventTypeWarning, reasonConnectorCreationFailed, message)
-		return setStatus(cn, tsapi.ConnectorReady, metav1.ConditionFalse, reasonConnectorCreationFailed, message)
+		reason = reasonConnectorCreationFailed
+		message = fmt.Sprintf(messageConnectorCreationFailed, err)
+		readyStatus = metav1.ConditionFalse
+		a.recorder.Eventf(cn, corev1.EventTypeWarning, reason, message)
+	} else {
+		logger.Info("Connector resources synced")
+		reason = reasonConnectorCreated
+		message = reasonConnectorCreated
+		readyStatus = metav1.ConditionTrue
+		cn.Status.IsExitNode = cn.Spec.IsExitNode
+		if cn.Spec.SubnetRouter != nil {
+			cn.Status.SubnetRoutes = cn.Spec.SubnetRouter.Routes.Stringify()
+		} else {
+			cn.Status.SubnetRoutes = ""
+		}
 	}
-
-	logger.Info("Connector resources synced")
-	cn.Status.IsExitNode = cn.Spec.ExitNode
-	if cn.Spec.SubnetRouter != nil {
-		cn.Status.SubnetRoutes = cn.Spec.SubnetRouter.AdvertiseRoutes.Stringify()
-		return setStatus(cn, tsapi.ConnectorReady, metav1.ConditionTrue, reasonConnectorCreated, reasonConnectorCreated)
-	}
-	cn.Status.SubnetRoutes = ""
-	return setStatus(cn, tsapi.ConnectorReady, metav1.ConditionTrue, reasonConnectorCreated, reasonConnectorCreated)
+	return reconcile.Result{}, err
 }

 // maybeProvisionConnector ensures that any new resources required for this
@@ -171,37 +184,76 @@ func (a *ConnectorReconciler) maybeProvisionConnector(ctx context.Context, logge
 		ChildResourceLabels: crl,
 		Tags:                cn.Spec.Tags.Stringify(),
 		Connector: &connector{
-			isExitNode: cn.Spec.ExitNode,
+			isExitNode: cn.Spec.IsExitNode,
 		},
 	}

-	if cn.Spec.SubnetRouter != nil && len(cn.Spec.SubnetRouter.AdvertiseRoutes) > 0 {
-		sts.Connector.routes = cn.Spec.SubnetRouter.AdvertiseRoutes.Stringify()
+	if cn.Spec.SubnetRouter != nil && len(cn.Spec.SubnetRouter.Routes) > 0 {
+		sts.Connector.routes = cn.Spec.SubnetRouter.Routes.Stringify()
 	}

 	a.mu.Lock()
-	if sts.Connector.isExitNode {
-		a.exitNodes.Add(cn.UID)
-	} else {
-		a.exitNodes.Remove(cn.UID)
-	}
-	if sts.Connector.routes != "" {
-		a.subnetRouters.Add(cn.GetUID())
-	} else {
-		a.subnetRouters.Remove(cn.GetUID())
-	}
+	a.connectors.Add(cn.UID)
+	gaugeConnectorResources.Set(int64(a.connectors.Len()))
 	a.mu.Unlock()
-	gaugeConnectorSubnetRouterResources.Set(int64(a.subnetRouters.Len()))
-	gaugeConnectorExitNodeResources.Set(int64(a.exitNodes.Len()))
-	var connectors set.Slice[types.UID]
-	connectors.AddSlice(a.exitNodes.Slice())
-	connectors.AddSlice(a.subnetRouters.Slice())
-	gaugeConnectorResources.Set(int64(connectors.Len()))

 	_, err := a.ssr.Provision(ctx, logger, sts)
 	return err
 }

+func (a *tailscaleSTSReconciler) tsConfigCM(ctx context.Context, name, namespace string, logger *zap.SugaredLogger, sts *tailscaleSTSConfig) error {
+	confFile, err := confFile(sts)
+	if err != nil {
+		return fmt.Errorf("error provisioning config: %v", err)
+	}
+
+	jsonBytes, err := json.Marshal(confFile)
+	if err != nil {
+		return fmt.Errorf("error marshaling config file: %v", err)
+	}
+	cm := &corev1.ConfigMap{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      name,
+			Namespace: namespace,
+			Labels:    sts.ChildResourceLabels,
+		},
+		Data: map[string]string{
+			"tailscaled": string(jsonBytes),
+		},
+	}
+	_, err = createOrUpdate(ctx, a.Client, namespace, cm, func(config *corev1.ConfigMap) { config.Labels = cm.Labels; config.Data = cm.Data })
+	if err != nil {
+		return fmt.Errorf("error creating a ConfigMap: %v", err)
+	}
+	return nil
+}
+
+func confFile(sts *tailscaleSTSConfig) (*ipn.ConfigVAlpha, error) {
+	var (
+		routes []netip.Prefix
+		err    error
+	)
+	if sts.Connector != nil {
+		routes, err = netutil.CalcAdvertiseRoutes(sts.Connector.routes, sts.Connector.isExitNode)
+		if err != nil {
+			return nil, fmt.Errorf("error calculating routes: %v", err)
+		}
+	}
+	conf := &ipn.ConfigVAlpha{
+		Version:         "alpha0",
+		AdvertiseRoutes: routes,
+		AcceptDNS:       "false",
+		Hostname:        &sts.Hostname,
+		// Not sure how to log in if it's locked?
+		Locked: "false",
+	}
+	// fix - don't put the key there
+	if sts.key != "" {
+		conf.AuthKey = &sts.key
+	}
+	return conf, nil
+}
+
 func (a *ConnectorReconciler) maybeCleanupConnector(ctx context.Context, logger *zap.SugaredLogger, cn *tsapi.Connector) (bool, error) {
 	if done, err := a.ssr.Cleanup(ctx, logger, childResourceLabels(cn.Name, a.tsnamespace, "connector")); err != nil {
 		return false, fmt.Errorf("failed to cleanup Connector resources: %w", err)
@@ -216,15 +268,9 @@ func (a *ConnectorReconciler) maybeCleanupConnector(ctx context.Context, logger
 	// reconciles exit early.
 	logger.Infof("cleaned up Connector resources")
 	a.mu.Lock()
-	a.subnetRouters.Remove(cn.UID)
-	a.exitNodes.Remove(cn.UID)
-	a.mu.Unlock()
-	gaugeConnectorExitNodeResources.Set(int64(a.exitNodes.Len()))
-	gaugeConnectorSubnetRouterResources.Set(int64(a.subnetRouters.Len()))
-	var connectors set.Slice[types.UID]
-	connectors.AddSlice(a.exitNodes.Slice())
-	connectors.AddSlice(a.subnetRouters.Slice())
-	gaugeConnectorResources.Set(int64(connectors.Len()))
+	defer a.mu.Unlock()
+	a.connectors.Remove(cn.UID)
+	gaugeConnectorResources.Set(int64(a.connectors.Len()))
 	return true, nil
 }

@@ -232,8 +278,8 @@ func (a *ConnectorReconciler) validate(cn *tsapi.Connector) error {
 	// Connector fields are already validated at apply time with CEL validation
 	// on custom resource fields. The checks here are a backup in case the
 	// CEL validation breaks without us noticing.
-	if !(cn.Spec.SubnetRouter != nil || cn.Spec.ExitNode) {
-		return errors.New("invalid spec: a Connector must expose subnet routes or act as an exit node (or both)")
+	if !(cn.Spec.SubnetRouter != nil || cn.Spec.IsExitNode) {
+		return errors.New("invalid Connector spec- a Connector must be either expose subnet routes or act as exit node (or both)")
 	}
 	if cn.Spec.SubnetRouter == nil {
 		return nil
@@ -242,11 +288,11 @@ func (a *ConnectorReconciler) validate(cn *tsapi.Connector) error {
 }

 func validateSubnetRouter(sb *tsapi.SubnetRouter) error {
-	if len(sb.AdvertiseRoutes) < 1 {
+	if len(sb.Routes) < 1 {
 		return errors.New("invalid subnet router spec: no routes defined")
 	}
 	var err error
-	for _, route := range sb.AdvertiseRoutes {
+	for _, route := range sb.Routes {
 		pfx, e := netip.ParsePrefix(string(route))
 		if e != nil {
 			err = errors.Wrap(err, fmt.Sprintf("route %s is invalid: %v", route, err))
--- a/cmd/k8s-operator/connector_test.go
+++ b/cmd/k8s-operator/connector_test.go
@@ -7,6 +7,7 @@ package main

 import (
 	"context"
+	"fmt"
 	"testing"

 	"go.uber.org/zap"
@@ -17,6 +18,7 @@ import (
 	"sigs.k8s.io/controller-runtime/pkg/client/fake"
 	tsapi "tailscale.com/k8s-operator/apis/v1alpha1"
 	"tailscale.com/tstest"
+	"tailscale.com/types/ptr"
 )

 func TestConnector(t *testing.T) {
@@ -33,9 +35,9 @@ func TestConnector(t *testing.T) {
 		},
 		Spec: tsapi.ConnectorSpec{
 			SubnetRouter: &tsapi.SubnetRouter{
-				AdvertiseRoutes: []tsapi.Route{"10.40.0.0/14"},
+				Routes: []tsapi.Route{"10.40.0.0/14"},
 			},
-			ExitNode: true,
+			IsExitNode: true,
 		},
 	}
 	fc := fake.NewClientBuilder().
@@ -66,57 +68,50 @@ func TestConnector(t *testing.T) {
 	expectReconciled(t, cr, "", "test")
 	fullName, shortName := findGenName(t, fc, "", "test", "connector")

-	opts := configOpts{
-		stsName:                    shortName,
-		secretName:                 fullName,
-		parentType:                 "connector",
-		hostname:                   "test-connector",
-		shouldUseDeclarativeConfig: true,
-		isExitNode:                 true,
-		subnetRoutes:               "10.40.0.0/14",
-		confFileHash:               "9321660203effb80983eaecc7b5ac5a8c53934926f46e895b9fe295dcfc5a904",
+	expectEqual(t, fc, expectedSecret(fullName, "", "connector"))
+	opts := connectorSTSOpts{
+		connectorName: "test",
+		stsName:       shortName,
+		secretName:    fullName,
+		routes:        "10.40.0.0/14",
+		isExitNode:    true,
 	}
-	expectEqual(t, fc, expectedSecret(t, opts))
-	expectEqual(t, fc, expectedSTS(opts))
+	expectEqual(t, fc, expectedConnectorSTS(opts))

 	// Add another route to be advertised.
 	mustUpdate[tsapi.Connector](t, fc, "", "test", func(conn *tsapi.Connector) {
-		conn.Spec.SubnetRouter.AdvertiseRoutes = []tsapi.Route{"10.40.0.0/14", "10.44.0.0/20"}
+		conn.Spec.SubnetRouter.Routes = []tsapi.Route{"10.40.0.0/14", "10.44.0.0/20"}
 	})
-	opts.subnetRoutes = "10.40.0.0/14,10.44.0.0/20"
-	opts.confFileHash = "fb6c4daf67425f983985750cd8d6f2beae77e614fcb34176604571f5623d6862"
 	expectReconciled(t, cr, "", "test")
+	opts.routes = "10.40.0.0/14,10.44.0.0/20"

-	expectEqual(t, fc, expectedSTS(opts))
+	expectEqual(t, fc, expectedConnectorSTS(opts))

 	// Remove a route.
 	mustUpdate[tsapi.Connector](t, fc, "", "test", func(conn *tsapi.Connector) {
-		conn.Spec.SubnetRouter.AdvertiseRoutes = []tsapi.Route{"10.44.0.0/20"}
+		conn.Spec.SubnetRouter.Routes = []tsapi.Route{"10.44.0.0/20"}
 	})
-	opts.subnetRoutes = "10.44.0.0/20"
-	opts.confFileHash = "bacba177bcfe3849065cf6fee53d658a9bb4144197ac5b861727d69ea99742bb"
 	expectReconciled(t, cr, "", "test")
-	expectEqual(t, fc, expectedSTS(opts))
+	opts.routes = "10.44.0.0/20"
+	expectEqual(t, fc, expectedConnectorSTS(opts))

 	// Remove the subnet router.
 	mustUpdate[tsapi.Connector](t, fc, "", "test", func(conn *tsapi.Connector) {
 		conn.Spec.SubnetRouter = nil
 	})
-	opts.subnetRoutes = ""
-	opts.confFileHash = "7c421a99128eb80e79a285a82702f19f8f720615542a15bd794858a6275d8079"
 	expectReconciled(t, cr, "", "test")
-	expectEqual(t, fc, expectedSTS(opts))
+	opts.routes = ""
+	expectEqual(t, fc, expectedConnectorSTS(opts))

 	// Re-add the subnet router.
 	mustUpdate[tsapi.Connector](t, fc, "", "test", func(conn *tsapi.Connector) {
 		conn.Spec.SubnetRouter = &tsapi.SubnetRouter{
-			AdvertiseRoutes: []tsapi.Route{"10.44.0.0/20"},
+			Routes: []tsapi.Route{"10.44.0.0/20"},
 		}
 	})
-	opts.subnetRoutes = "10.44.0.0/20"
-	opts.confFileHash = "bacba177bcfe3849065cf6fee53d658a9bb4144197ac5b861727d69ea99742bb"
 	expectReconciled(t, cr, "", "test")
-	expectEqual(t, fc, expectedSTS(opts))
+	opts.routes = "10.44.0.0/20"
+	expectEqual(t, fc, expectedConnectorSTS(opts))

 	// Delete the Connector.
 	if err = fc.Delete(context.Background(), cn); err != nil {
@@ -141,36 +136,23 @@ func TestConnector(t *testing.T) {
 		},
 		Spec: tsapi.ConnectorSpec{
 			SubnetRouter: &tsapi.SubnetRouter{
-				AdvertiseRoutes: []tsapi.Route{"10.40.0.0/14"},
+				Routes: []tsapi.Route{"10.40.0.0/14"},
 			},
 		},
 	}
-	opts.subnetRoutes = "10.44.0.0/14"
-	opts.isExitNode = false
 	mustCreate(t, fc, cn)
 	expectReconciled(t, cr, "", "test")
 	fullName, shortName = findGenName(t, fc, "", "test", "connector")

-	opts = configOpts{
-		stsName:                    shortName,
-		secretName:                 fullName,
-		parentType:                 "connector",
-		shouldUseDeclarativeConfig: true,
-		subnetRoutes:               "10.40.0.0/14",
-		hostname:                   "test-connector",
-		confFileHash:               "57d922331890c9b1c8c6ae664394cb254334c551d9cd9db14537b5d9da9fb17e",
+	expectEqual(t, fc, expectedSecret(fullName, "", "connector"))
+	opts = connectorSTSOpts{
+		connectorName: "test",
+		stsName:       shortName,
+		secretName:    fullName,
+		routes:        "10.40.0.0/14",
+		isExitNode:    false,
 	}
-	expectEqual(t, fc, expectedSecret(t, opts))
-	expectEqual(t, fc, expectedSTS(opts))
-
-	// Add an exit node.
-	mustUpdate[tsapi.Connector](t, fc, "", "test", func(conn *tsapi.Connector) {
-		conn.Spec.ExitNode = true
-	})
-	opts.isExitNode = true
-	opts.confFileHash = "1499b591fd97a50f0330db6ec09979792c49890cf31f5da5bb6a3f50dba1e77a"
-	expectReconciled(t, cr, "", "test")
-	expectEqual(t, fc, expectedSTS(opts))
+	expectEqual(t, fc, expectedConnectorSTS(opts))

 	// Delete the Connector.
 	if err = fc.Delete(context.Background(), cn); err != nil {
@@ -183,3 +165,89 @@ func TestConnector(t *testing.T) {
 	expectMissing[appsv1.StatefulSet](t, fc, "operator-ns", shortName)
 	expectMissing[corev1.Secret](t, fc, "operator-ns", fullName)
 }
+
+type connectorSTSOpts struct {
+	stsName       string
+	secretName    string
+	connectorName string
+	hostname      string
+	routes        string
+	isExitNode    bool
+}
+
+func expectedConnectorSTS(opts connectorSTSOpts) *appsv1.StatefulSet {
+	var hostname string
+	if opts.hostname != "" {
+		hostname = opts.hostname
+	} else {
+		hostname = opts.connectorName + "-connector"
+	}
+	containerEnv := []corev1.EnvVar{
+		{Name: "TS_USERSPACE", Value: "false"},
+		{Name: "TS_AUTH_ONCE", Value: "true"},
+		{Name: "TS_KUBE_SECRET", Value: opts.secretName},
+		{Name: "TS_HOSTNAME", Value: hostname},
+		{Name: "TS_EXTRA_ARGS", Value: fmt.Sprintf("--advertise-exit-node=%v", opts.isExitNode)},
+		{Name: "TS_ROUTES", Value: opts.routes},
+	}
+	sts := &appsv1.StatefulSet{
+		TypeMeta: metav1.TypeMeta{
+			Kind:       "StatefulSet",
+			APIVersion: "apps/v1",
+		},
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      opts.stsName,
+			Namespace: "operator-ns",
+			Labels: map[string]string{
+				"tailscale.com/managed":              "true",
+				"tailscale.com/parent-resource":      "test",
+				"tailscale.com/parent-resource-ns":   "",
+				"tailscale.com/parent-resource-type": "connector",
+			},
+		},
+		Spec: appsv1.StatefulSetSpec{
+			Replicas: ptr.To[int32](1),
+			Selector: &metav1.LabelSelector{
+				MatchLabels: map[string]string{"app": "1234-UID"},
+			},
+			ServiceName: opts.stsName,
+			Template: corev1.PodTemplateSpec{
+				ObjectMeta: metav1.ObjectMeta{
+					DeletionGracePeriodSeconds: ptr.To[int64](10),
+					Labels:                     map[string]string{"app": "1234-UID"},
+					Annotations: map[string]string{
+						"tailscale.com/operator-last-set-hostname": hostname,
+					},
+				},
+				Spec: corev1.PodSpec{
+					ServiceAccountName: "proxies",
+					InitContainers: []corev1.Container{
+						{
+							Name:    "sysctler",
+							Image:   "tailscale/tailscale",
+							Command: []string{"/bin/sh"},
+							Args:    []string{"-c", "sysctl -w net.ipv4.ip_forward=1 net.ipv6.conf.all.forwarding=1"},
+							SecurityContext: &corev1.SecurityContext{
+								Privileged: ptr.To(true),
+							},
+						},
+					},
+					Containers: []corev1.Container{
+						{
+							Name:  "tailscale",
+							Image: "tailscale/tailscale",
+							Env:   containerEnv,
+							SecurityContext: &corev1.SecurityContext{
+								Capabilities: &corev1.Capabilities{
+									Add: []corev1.Capability{"NET_ADMIN"},
+								},
+							},
+							ImagePullPolicy: "Always",
+						},
+					},
+				},
+			},
+		},
+	}
+	return sts
+}
--- a/cmd/k8s-operator/deploy/chart/templates/operator-rbac.yaml
+++ b/cmd/k8s-operator/deploy/chart/templates/operator-rbac.yaml
@@ -21,6 +21,9 @@ rules:
 - apiGroups: ["tailscale.com"]
  resources: ["connectors", "connectors/status"]
  verbs: ["get", "list", "watch", "update"]
+- apiGroups: [""]
+  resources: ["configmaps"]
+  verbs: ["*"]
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
--- a/cmd/k8s-operator/deploy/crds/tailscale.com_connectors.yaml
+++ b/cmd/k8s-operator/deploy/crds/tailscale.com_connectors.yaml
@@ -47,34 +47,33 @@ spec:
              description: ConnectorSpec describes the desired Tailscale component.
              type: object
              properties:
-                exitNode:
-                  description: ExitNode defines whether the Connector node should act as a Tailscale exit node. Defaults to false. https://tailscale.com/kb/1103/exit-nodes
-                  type: boolean
                hostname:
-                  description: Hostname is the tailnet hostname that should be assigned to the Connector node. If unset, hostname defaults to <connector name>-connector. Hostname can contain lower case letters, numbers and dashes, it must not start or end with a dash and must be between 2 and 63 characters long.
+                  description: Hostname is the tailnet hostname that should be assigned to the Connector node. If unset, hostname is defaulted to <connector name>-connector. Hostname can contain lower case letters, numbers and dashes, it must not start or end with a dash and must be between 2 and 63 characters long.
                  type: string
                  pattern: ^[a-z0-9][a-z0-9-]{0,61}[a-z0-9]$
+                isExitNode:
+                  description: IsExitNode defines whether the Connector node should act as a Tailscale exit node. Defaults to false. https://tailscale.com/kb/1103/exit-nodes
+                  type: boolean
                subnetRouter:
                  description: SubnetRouter defines subnet routes that the Connector node should expose to tailnet. If unset, none are exposed. https://tailscale.com/kb/1019/subnets/
                  type: object
                  required:
-                    - advertiseRoutes
+                    - routes
                  properties:
-                    advertiseRoutes:
-                      description: AdvertiseRoutes refer to CIDRs that the subnet router should make available. Route values must be strings that represent a valid IPv4 or IPv6 CIDR range. Values can be Tailscale 4via6 subnet routes. https://tailscale.com/kb/1201/4via6-subnets/
+                    routes:
+                      description: Routes refer to in-cluster CIDRs that the subnet router should make available. Route values must be strings that represent a valid IPv4 or IPv6 CIDR range. Values can be Tailscale 4via6 subnet routes. https://tailscale.com/kb/1201/4via6-subnets/
                      type: array
-                      minItems: 1
                      items:
                        type: string
                        format: cidr
                tags:
-                  description: Tags that the Tailscale node will be tagged with. Defaults to [tag:k8s]. To autoapprove the subnet routes or exit node defined by a Connector, you can configure Tailscale ACLs to give these tags the necessary permissions. See https://tailscale.com/kb/1018/acls/#auto-approvers-for-routes-and-exit-nodes. If you specify custom tags here, you must also make the operator an owner of these tags. See  https://tailscale.com/kb/1236/kubernetes-operator/#setting-up-the-kubernetes-operator. Tags cannot be changed once a Connector node has been created. Tag values must be in form ^tag:[a-zA-Z][a-zA-Z0-9-]*$.
+                  description: Tags that the Tailscale node will be tagged with. Defaults to [tag:k8s]. To autoapprove the subnet routes or exit node defined by a Connector, you can configure Tailscale ACLs to give these tags the necessary permissions. See https://tailscale.com/kb/1018/acls/#auto-approvers-for-routes-and-exit-nodes If you specify custom tags here, you must also make the operator an owner of these tags. See  https://tailscale.com/kb/1236/kubernetes-operator/#setting-up-the-kubernetes-operator. Tags cannot be changed once a Connector node has been created. Tag values must be in form ^tag:[a-zA-Z][a-zA-Z0-9-]*$.
                  type: array
                  items:
                    type: string
                    pattern: ^tag:[a-zA-Z][a-zA-Z0-9-]*$
              x-kubernetes-validations:
-                - rule: has(self.subnetRouter) || self.exitNode == true
+                - rule: has(self.subnetRouter) || self.isExitNode == true
                  message: A Connector needs to be either an exit node or a subnet router, or both.
            status:
              description: ConnectorStatus describes the status of the Connector. This is set and managed by the Tailscale operator.
--- a/cmd/k8s-operator/deploy/examples/connector.yaml
+++ b/cmd/k8s-operator/deploy/examples/connector.yaml
@@ -13,7 +13,7 @@ spec:
  - "tag:prod"
  hostname: ts-prod
  subnetRouter:
-    advertiseRoutes:
+    routes:
    - "10.40.0.0/14"
    - "192.168.0.0/14"
-  exitNode: true
+  isExitNode: true
--- a/cmd/k8s-operator/operator.go
+++ b/cmd/k8s-operator/operator.go
@@ -9,7 +9,6 @@ package main

 import (
 	"context"
-	"os"
 	"regexp"
 	"strings"
 	"time"
@@ -17,7 +16,6 @@ import (
 	"github.com/go-logr/zapr"
 	"go.uber.org/zap"
 	"go.uber.org/zap/zapcore"
-	"golang.org/x/oauth2/clientcredentials"
 	appsv1 "k8s.io/api/apps/v1"
 	corev1 "k8s.io/api/core/v1"
 	networkingv1 "k8s.io/api/networking/v1"
@@ -41,6 +39,7 @@ import (
 	"tailscale.com/tsnet"
 	"tailscale.com/tstime"
 	"tailscale.com/types/logger"
+	"tailscale.com/util/must"
 	"tailscale.com/version"
 )

@@ -56,13 +55,13 @@ func main() {
 	tailscale.I_Acknowledge_This_API_Is_Unstable = true

 	var (
-		tsNamespace       = defaultEnv("OPERATOR_NAMESPACE", "")
-		tslogging         = defaultEnv("OPERATOR_LOGGING", "info")
-		image             = defaultEnv("PROXY_IMAGE", "tailscale/tailscale:latest")
-		priorityClassName = defaultEnv("PROXY_PRIORITY_CLASS_NAME", "")
-		tags              = defaultEnv("PROXY_TAGS", "tag:k8s")
-		tsFirewallMode    = defaultEnv("PROXY_FIREWALL_MODE", "")
-		tsEnableConnector = defaultBool("ENABLE_CONNECTOR", false)
+		// tsNamespace       = defaultEnv("OPERATOR_NAMESPACE", "")
+		tslogging = defaultEnv("OPERATOR_LOGGING", "info")
+		// image             = defaultEnv("PROXY_IMAGE", "tailscale/tailscale:latest")
+		// priorityClassName = defaultEnv("PROXY_PRIORITY_CLASS_NAME", "")
+		// tags              = defaultEnv("PROXY_TAGS", "tag:k8s")
+		// tsFirewallMode    = defaultEnv("PROXY_FIREWALL_MODE", "")
+		// tsEnableConnector = defaultBool("ENABLE_CONNECTOR", false)
 	)

 	var opts []kzap.Opts
@@ -80,20 +79,22 @@ func main() {
 	// The operator can run either as a plain operator or it can
 	// additionally act as api-server proxy
 	// https://tailscale.com/kb/1236/kubernetes-operator/?q=kubernetes#accessing-the-kubernetes-control-plane-using-an-api-server-proxy.
-	mode := parseAPIProxyMode()
+	// mode := parseAPIProxyMode()
+	mode := apiserverProxyModeNoAuth
 	if mode == apiserverProxyModeDisabled {
 		hostinfo.SetApp("k8s-operator")
 	} else {
 		hostinfo.SetApp("k8s-operator-proxy")
 	}

-	s, tsClient := initTSNet(zlog)
+	s, _ := initTSNet(zlog)
 	defer s.Close()
-	restConfig := config.GetConfigOrDie()
+	restConfig := must.Get(config.GetConfigWithContext(""))
 	maybeLaunchAPIServerProxy(zlog, restConfig, s, mode)
+	select {}
 	// TODO (irbekrm): gather the reconciler options into an opts struct
 	// rather than passing a million of them in one by one.
-	runReconcilers(zlog, s, tsNamespace, restConfig, tsClient, image, priorityClassName, tags, tsFirewallMode, tsEnableConnector)
+	// runReconcilers(zlog, s, tsNamespace, restConfig, tsClient, image, priorityClassName, tags, tsFirewallMode, tsEnableConnector)
 }

 // initTSNet initializes the tsnet.Server and logs in to Tailscale. It uses the
@@ -101,31 +102,31 @@ func main() {
 // with Tailscale.
 func initTSNet(zlog *zap.SugaredLogger) (*tsnet.Server, *tailscale.Client) {
 	var (
-		clientIDPath     = defaultEnv("CLIENT_ID_FILE", "")
-		clientSecretPath = defaultEnv("CLIENT_SECRET_FILE", "")
-		hostname         = defaultEnv("OPERATOR_HOSTNAME", "tailscale-operator")
-		kubeSecret       = defaultEnv("OPERATOR_SECRET", "")
-		operatorTags     = defaultEnv("OPERATOR_INITIAL_TAGS", "tag:k8s-operator")
+		// clientIDPath     = defaultEnv("CLIENT_ID_FILE", "")
+		// clientSecretPath = defaultEnv("CLIENT_SECRET_FILE", "")
+		hostname   = defaultEnv("OPERATOR_HOSTNAME", "tailscale-operator")
+		kubeSecret = defaultEnv("OPERATOR_SECRET", "")
+		// operatorTags     = defaultEnv("OPERATOR_INITIAL_TAGS", "tag:k8s-operator")
 	)
 	startlog := zlog.Named("startup")
-	if clientIDPath == "" || clientSecretPath == "" {
-		startlog.Fatalf("CLIENT_ID_FILE and CLIENT_SECRET_FILE must be set")
-	}
-	clientID, err := os.ReadFile(clientIDPath)
-	if err != nil {
-		startlog.Fatalf("reading client ID %q: %v", clientIDPath, err)
-	}
-	clientSecret, err := os.ReadFile(clientSecretPath)
-	if err != nil {
-		startlog.Fatalf("reading client secret %q: %v", clientSecretPath, err)
-	}
-	credentials := clientcredentials.Config{
-		ClientID:     string(clientID),
-		ClientSecret: string(clientSecret),
-		TokenURL:     "https://login.tailscale.com/api/v2/oauth/token",
-	}
-	tsClient := tailscale.NewClient("-", nil)
-	tsClient.HTTPClient = credentials.Client(context.Background())
+	// if clientIDPath == "" || clientSecretPath == "" {
+	// 	startlog.Fatalf("CLIENT_ID_FILE and CLIENT_SECRET_FILE must be set")
+	// }
+	// clientID, err := os.ReadFile(clientIDPath)
+	// if err != nil {
+	// 	startlog.Fatalf("reading client ID %q: %v", clientIDPath, err)
+	// }
+	// clientSecret, err := os.ReadFile(clientSecretPath)
+	// if err != nil {
+	// 	startlog.Fatalf("reading client secret %q: %v", clientSecretPath, err)
+	// }
+	// credentials := clientcredentials.Config{
+	// 	ClientID:     string(clientID),
+	// 	ClientSecret: string(clientSecret),
+	// 	TokenURL:     "https://login.tailscale.com/api/v2/oauth/token",
+	// }
+	// tsClient := tailscale.NewClient("-", nil)
+	// tsClient.HTTPClient = credentials.Client(context.Background())

 	s := &tsnet.Server{
 		Hostname: hostname,
@@ -163,21 +164,22 @@ waitOnline:
 			if loginDone {
 				break
 			}
-			caps := tailscale.KeyCapabilities{
-				Devices: tailscale.KeyDeviceCapabilities{
-					Create: tailscale.KeyDeviceCreateCapabilities{
-						Reusable:      false,
-						Preauthorized: true,
-						Tags:          strings.Split(operatorTags, ","),
-					},
-				},
-			}
-			authkey, _, err := tsClient.CreateKey(ctx, caps)
-			if err != nil {
-				startlog.Fatalf("creating operator authkey: %v", err)
-			}
+			// caps := tailscale.KeyCapabilities{
+			// 	Devices: tailscale.KeyDeviceCapabilities{
+			// 		Create: tailscale.KeyDeviceCreateCapabilities{
+			// 			Reusable:      false,
+			// 			Preauthorized: true,
+			// 			Tags:          strings.Split(operatorTags, ","),
+			// 		},
+			// 	},
+			// }
+			// authkey := ""
+			// authkey, _, err := tsClient.CreateKey(ctx, caps)
+			// if err != nil {
+			// 	startlog.Fatalf("creating operator authkey: %v", err)
+			// }
 			if err := lc.Start(ctx, ipn.Options{
-				AuthKey: authkey,
+				// AuthKey: authkey,
 			}); err != nil {
 				startlog.Fatalf("starting tailscale: %v", err)
 			}
@@ -196,7 +198,7 @@ waitOnline:
 		}
 		time.Sleep(time.Second)
 	}
-	return s, tsClient
+	return s, nil
 }

 // runReconcilers starts the controller-runtime manager and registers the
--- a/cmd/k8s-operator/operator_test.go
+++ b/cmd/k8s-operator/operator_test.go
@@ -6,15 +6,24 @@
 package main

 import (
+	"context"
 	"fmt"
+	"strings"
+	"sync"
 	"testing"
+	"time"

+	"github.com/google/go-cmp/cmp"
 	"go.uber.org/zap"
 	appsv1 "k8s.io/api/apps/v1"
 	corev1 "k8s.io/api/core/v1"
+	apierrors "k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/types"
+	"sigs.k8s.io/controller-runtime/pkg/client"
 	"sigs.k8s.io/controller-runtime/pkg/client/fake"
+	"sigs.k8s.io/controller-runtime/pkg/reconcile"
+	"tailscale.com/client/tailscale"
 	"tailscale.com/types/ptr"
 )

@@ -58,18 +67,15 @@ func TestLoadBalancerClass(t *testing.T) {
 	expectReconciled(t, sr, "default", "test")

 	fullName, shortName := findGenName(t, fc, "default", "test", "svc")
-	opts := configOpts{
-		stsName:         shortName,
-		secretName:      fullName,
-		namespace:       "default",
-		parentType:      "svc",
-		hostname:        "default-test",
-		clusterTargetIP: "10.20.30.40",
-	}

-	expectEqual(t, fc, expectedSecret(t, opts))
+	expectEqual(t, fc, expectedSecret(fullName, "default", "svc"))
 	expectEqual(t, fc, expectedHeadlessService(shortName))
-	expectEqual(t, fc, expectedSTS(opts))
+	o := stsOpts{
+		name:       shortName,
+		secretName: fullName,
+		hostname:   "default-test",
+	}
+	expectEqual(t, fc, expectedSTS(o))

 	// Normally the Tailscale proxy pod would come up here and write its info
 	// into the secret. Simulate that, then verify reconcile again and verify
@@ -153,7 +159,6 @@ func TestLoadBalancerClass(t *testing.T) {
 	}
 	expectEqual(t, fc, want)
 }
-
 func TestTailnetTargetFQDNAnnotation(t *testing.T) {
 	fc := fake.NewFakeClient()
 	ft := &fakeTSClient{}
@@ -199,17 +204,15 @@ func TestTailnetTargetFQDNAnnotation(t *testing.T) {
 	expectReconciled(t, sr, "default", "test")

 	fullName, shortName := findGenName(t, fc, "default", "test", "svc")
-	o := configOpts{
-		stsName:           shortName,
+
+	expectEqual(t, fc, expectedSecret(fullName, "default", "svc"))
+	expectEqual(t, fc, expectedHeadlessService(shortName))
+	o := stsOpts{
+		name:              shortName,
 		secretName:        fullName,
-		namespace:         "default",
-		parentType:        "svc",
 		tailnetTargetFQDN: tailnetTargetFQDN,
 		hostname:          "default-test",
 	}
-
-	expectEqual(t, fc, expectedSecret(t, o))
-	expectEqual(t, fc, expectedHeadlessService(shortName))
 	expectEqual(t, fc, expectedSTS(o))
 	want := &corev1.Service{
 		TypeMeta: metav1.TypeMeta{
@@ -232,8 +235,14 @@ func TestTailnetTargetFQDNAnnotation(t *testing.T) {
 		},
 	}
 	expectEqual(t, fc, want)
-	expectEqual(t, fc, expectedSecret(t, o))
+	expectEqual(t, fc, expectedSecret(fullName, "default", "svc"))
 	expectEqual(t, fc, expectedHeadlessService(shortName))
+	o = stsOpts{
+		name:              shortName,
+		secretName:        fullName,
+		tailnetTargetFQDN: tailnetTargetFQDN,
+		hostname:          "default-test",
+	}
 	expectEqual(t, fc, expectedSTS(o))

 	// Change the tailscale-target-fqdn annotation which should update the
@@ -263,7 +272,6 @@ func TestTailnetTargetFQDNAnnotation(t *testing.T) {
 	expectMissing[corev1.Service](t, fc, "operator-ns", shortName)
 	expectMissing[corev1.Secret](t, fc, "operator-ns", fullName)
 }
-
 func TestTailnetTargetIPAnnotation(t *testing.T) {
 	fc := fake.NewFakeClient()
 	ft := &fakeTSClient{}
@@ -309,17 +317,15 @@ func TestTailnetTargetIPAnnotation(t *testing.T) {
 	expectReconciled(t, sr, "default", "test")

 	fullName, shortName := findGenName(t, fc, "default", "test", "svc")
-	o := configOpts{
-		stsName:         shortName,
+
+	expectEqual(t, fc, expectedSecret(fullName, "default", "svc"))
+	expectEqual(t, fc, expectedHeadlessService(shortName))
+	o := stsOpts{
+		name:            shortName,
 		secretName:      fullName,
-		namespace:       "default",
-		parentType:      "svc",
 		tailnetTargetIP: tailnetTargetIP,
 		hostname:        "default-test",
 	}
-
-	expectEqual(t, fc, expectedSecret(t, o))
-	expectEqual(t, fc, expectedHeadlessService(shortName))
 	expectEqual(t, fc, expectedSTS(o))
 	want := &corev1.Service{
 		TypeMeta: metav1.TypeMeta{
@@ -342,8 +348,14 @@ func TestTailnetTargetIPAnnotation(t *testing.T) {
 		},
 	}
 	expectEqual(t, fc, want)
-	expectEqual(t, fc, expectedSecret(t, o))
+	expectEqual(t, fc, expectedSecret(fullName, "default", "svc"))
 	expectEqual(t, fc, expectedHeadlessService(shortName))
+	o = stsOpts{
+		name:            shortName,
+		secretName:      fullName,
+		tailnetTargetIP: tailnetTargetIP,
+		hostname:        "default-test",
+	}
 	expectEqual(t, fc, expectedSTS(o))

 	// Change the tailscale-target-ip annotation which should update the
@@ -416,17 +428,14 @@ func TestAnnotations(t *testing.T) {
 	expectReconciled(t, sr, "default", "test")

 	fullName, shortName := findGenName(t, fc, "default", "test", "svc")
-	o := configOpts{
-		stsName:         shortName,
-		secretName:      fullName,
-		namespace:       "default",
-		parentType:      "svc",
-		hostname:        "default-test",
-		clusterTargetIP: "10.20.30.40",
-	}

-	expectEqual(t, fc, expectedSecret(t, o))
+	expectEqual(t, fc, expectedSecret(fullName, "default", "svc"))
 	expectEqual(t, fc, expectedHeadlessService(shortName))
+	o := stsOpts{
+		name:       shortName,
+		secretName: fullName,
+		hostname:   "default-test",
+	}
 	expectEqual(t, fc, expectedSTS(o))
 	want := &corev1.Service{
 		TypeMeta: metav1.TypeMeta{
@@ -524,17 +533,14 @@ func TestAnnotationIntoLB(t *testing.T) {
 	expectReconciled(t, sr, "default", "test")

 	fullName, shortName := findGenName(t, fc, "default", "test", "svc")
-	o := configOpts{
-		stsName:         shortName,
-		secretName:      fullName,
-		namespace:       "default",
-		parentType:      "svc",
-		hostname:        "default-test",
-		clusterTargetIP: "10.20.30.40",
-	}

-	expectEqual(t, fc, expectedSecret(t, o))
+	expectEqual(t, fc, expectedSecret(fullName, "default", "svc"))
 	expectEqual(t, fc, expectedHeadlessService(shortName))
+	o := stsOpts{
+		name:       shortName,
+		secretName: fullName,
+		hostname:   "default-test",
+	}
 	expectEqual(t, fc, expectedSTS(o))

 	// Normally the Tailscale proxy pod would come up here and write its info
@@ -580,6 +586,11 @@ func TestAnnotationIntoLB(t *testing.T) {
 	expectReconciled(t, sr, "default", "test")
 	// None of the proxy machinery should have changed...
 	expectEqual(t, fc, expectedHeadlessService(shortName))
+	o = stsOpts{
+		name:       shortName,
+		secretName: fullName,
+		hostname:   "default-test",
+	}
 	expectEqual(t, fc, expectedSTS(o))
 	// ... but the service should have a LoadBalancer status.

@@ -655,17 +666,14 @@ func TestLBIntoAnnotation(t *testing.T) {
 	expectReconciled(t, sr, "default", "test")

 	fullName, shortName := findGenName(t, fc, "default", "test", "svc")
-	o := configOpts{
-		stsName:         shortName,
-		secretName:      fullName,
-		namespace:       "default",
-		parentType:      "svc",
-		hostname:        "default-test",
-		clusterTargetIP: "10.20.30.40",
-	}

-	expectEqual(t, fc, expectedSecret(t, o))
+	expectEqual(t, fc, expectedSecret(fullName, "default", "svc"))
 	expectEqual(t, fc, expectedHeadlessService(shortName))
+	o := stsOpts{
+		name:       shortName,
+		secretName: fullName,
+		hostname:   "default-test",
+	}
 	expectEqual(t, fc, expectedSTS(o))

 	// Normally the Tailscale proxy pod would come up here and write its info
@@ -729,6 +737,11 @@ func TestLBIntoAnnotation(t *testing.T) {
 	expectReconciled(t, sr, "default", "test")

 	expectEqual(t, fc, expectedHeadlessService(shortName))
+	o = stsOpts{
+		name:       shortName,
+		secretName: fullName,
+		hostname:   "default-test",
+	}
 	expectEqual(t, fc, expectedSTS(o))

 	want = &corev1.Service{
@@ -796,17 +809,14 @@ func TestCustomHostname(t *testing.T) {
 	expectReconciled(t, sr, "default", "test")

 	fullName, shortName := findGenName(t, fc, "default", "test", "svc")
-	o := configOpts{
-		stsName:         shortName,
-		secretName:      fullName,
-		namespace:       "default",
-		parentType:      "svc",
-		hostname:        "reindeer-flotilla",
-		clusterTargetIP: "10.20.30.40",
-	}

-	expectEqual(t, fc, expectedSecret(t, o))
+	expectEqual(t, fc, expectedSecret(fullName, "default", "svc"))
 	expectEqual(t, fc, expectedHeadlessService(shortName))
+	o := stsOpts{
+		name:       shortName,
+		secretName: fullName,
+		hostname:   "reindeer-flotilla",
+	}
 	expectEqual(t, fc, expectedSTS(o))
 	want := &corev1.Service{
 		TypeMeta: metav1.TypeMeta{
@@ -910,14 +920,11 @@ func TestCustomPriorityClassName(t *testing.T) {
 	expectReconciled(t, sr, "default", "test")

 	fullName, shortName := findGenName(t, fc, "default", "test", "svc")
-	o := configOpts{
-		stsName:           shortName,
+	o := stsOpts{
+		name:              shortName,
 		secretName:        fullName,
-		namespace:         "default",
-		parentType:        "svc",
 		hostname:          "tailscale-critical",
 		priorityClassName: "custom-priority-class-name",
-		clusterTargetIP:   "10.20.30.40",
 	}

 	expectEqual(t, fc, expectedSTS(o))
@@ -964,14 +971,12 @@ func TestDefaultLoadBalancer(t *testing.T) {

 	fullName, shortName := findGenName(t, fc, "default", "test", "svc")

+	// expectEqual(t, fc, expectedSecret(fullName, "default", "svc"))
 	expectEqual(t, fc, expectedHeadlessService(shortName))
-	o := configOpts{
-		stsName:         shortName,
-		secretName:      fullName,
-		namespace:       "default",
-		parentType:      "svc",
-		hostname:        "default-test",
-		clusterTargetIP: "10.20.30.40",
+	o := stsOpts{
+		name:       shortName,
+		secretName: fullName,
+		hostname:   "default-test",
 	}
 	expectEqual(t, fc, expectedSTS(o))
 }
@@ -1017,19 +1022,331 @@ func TestProxyFirewallMode(t *testing.T) {
 	expectReconciled(t, sr, "default", "test")

 	fullName, shortName := findGenName(t, fc, "default", "test", "svc")
-	o := configOpts{
-		stsName:         shortName,
-		secretName:      fullName,
-		namespace:       "default",
-		parentType:      "svc",
-		hostname:        "default-test",
-		firewallMode:    "nftables",
-		clusterTargetIP: "10.20.30.40",
+	o := stsOpts{
+		name:         shortName,
+		secretName:   fullName,
+		hostname:     "default-test",
+		firewallMode: "nftables",
 	}
 	expectEqual(t, fc, expectedSTS(o))

 }

+func expectedSecret(name, parentNamespace, typ string) *corev1.Secret {
+	return &corev1.Secret{
+		TypeMeta: metav1.TypeMeta{
+			Kind:       "Secret",
+			APIVersion: "v1",
+		},
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      name,
+			Namespace: "operator-ns",
+			Labels: map[string]string{
+				"tailscale.com/managed":              "true",
+				"tailscale.com/parent-resource":      "test",
+				"tailscale.com/parent-resource-ns":   parentNamespace,
+				"tailscale.com/parent-resource-type": typ,
+			},
+		},
+		StringData: map[string]string{
+			"authkey": "secret-authkey",
+		},
+	}
+}
+
+func expectedHeadlessService(name string) *corev1.Service {
+	return &corev1.Service{
+		TypeMeta: metav1.TypeMeta{
+			Kind:       "Service",
+			APIVersion: "v1",
+		},
+		ObjectMeta: metav1.ObjectMeta{
+			Name:         name,
+			GenerateName: "ts-test-",
+			Namespace:    "operator-ns",
+			Labels: map[string]string{
+				"tailscale.com/managed":              "true",
+				"tailscale.com/parent-resource":      "test",
+				"tailscale.com/parent-resource-ns":   "default",
+				"tailscale.com/parent-resource-type": "svc",
+			},
+		},
+		Spec: corev1.ServiceSpec{
+			Selector: map[string]string{
+				"app": "1234-UID",
+			},
+			ClusterIP: "None",
+		},
+	}
+}
+
+func expectedSTS(opts stsOpts) *appsv1.StatefulSet {
+	containerEnv := []corev1.EnvVar{
+		{Name: "TS_USERSPACE", Value: "false"},
+		{Name: "TS_AUTH_ONCE", Value: "true"},
+		{Name: "TS_KUBE_SECRET", Value: opts.secretName},
+		{Name: "TS_HOSTNAME", Value: opts.hostname},
+	}
+	annots := map[string]string{
+		"tailscale.com/operator-last-set-hostname": opts.hostname,
+	}
+	if opts.tailnetTargetIP != "" {
+		annots["tailscale.com/operator-last-set-ts-tailnet-target-ip"] = opts.tailnetTargetIP
+		containerEnv = append(containerEnv, corev1.EnvVar{
+			Name:  "TS_TAILNET_TARGET_IP",
+			Value: opts.tailnetTargetIP,
+		})
+	} else if opts.tailnetTargetFQDN != "" {
+		annots["tailscale.com/operator-last-set-ts-tailnet-target-fqdn"] = opts.tailnetTargetFQDN
+		containerEnv = append(containerEnv, corev1.EnvVar{
+			Name:  "TS_TAILNET_TARGET_FQDN",
+			Value: opts.tailnetTargetFQDN,
+		})
+
+	} else {
+		containerEnv = append(containerEnv, corev1.EnvVar{
+			Name:  "TS_DEST_IP",
+			Value: "10.20.30.40",
+		})
+
+		annots["tailscale.com/operator-last-set-cluster-ip"] = "10.20.30.40"
+
+	}
+	if opts.firewallMode != "" {
+		containerEnv = append(containerEnv, corev1.EnvVar{
+			Name:  "TS_DEBUG_FIREWALL_MODE",
+			Value: opts.firewallMode,
+		})
+	}
+	return &appsv1.StatefulSet{
+		TypeMeta: metav1.TypeMeta{
+			Kind:       "StatefulSet",
+			APIVersion: "apps/v1",
+		},
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      opts.name,
+			Namespace: "operator-ns",
+			Labels: map[string]string{
+				"tailscale.com/managed":              "true",
+				"tailscale.com/parent-resource":      "test",
+				"tailscale.com/parent-resource-ns":   "default",
+				"tailscale.com/parent-resource-type": "svc",
+			},
+		},
+		Spec: appsv1.StatefulSetSpec{
+			Replicas: ptr.To[int32](1),
+			Selector: &metav1.LabelSelector{
+				MatchLabels: map[string]string{"app": "1234-UID"},
+			},
+			ServiceName: opts.name,
+			Template: corev1.PodTemplateSpec{
+				ObjectMeta: metav1.ObjectMeta{
+					Annotations:                annots,
+					DeletionGracePeriodSeconds: ptr.To[int64](10),
+					Labels:                     map[string]string{"app": "1234-UID"},
+				},
+				Spec: corev1.PodSpec{
+					ServiceAccountName: "proxies",
+					PriorityClassName:  opts.priorityClassName,
+					InitContainers: []corev1.Container{
+						{
+							Name:    "sysctler",
+							Image:   "tailscale/tailscale",
+							Command: []string{"/bin/sh"},
+							Args:    []string{"-c", "sysctl -w net.ipv4.ip_forward=1 net.ipv6.conf.all.forwarding=1"},
+							SecurityContext: &corev1.SecurityContext{
+								Privileged: ptr.To(true),
+							},
+						},
+					},
+					Containers: []corev1.Container{
+						{
+							Name:  "tailscale",
+							Image: "tailscale/tailscale",
+							Env:   containerEnv,
+							SecurityContext: &corev1.SecurityContext{
+								Capabilities: &corev1.Capabilities{
+									Add: []corev1.Capability{"NET_ADMIN"},
+								},
+							},
+							ImagePullPolicy: "Always",
+						},
+					},
+				},
+			},
+		},
+	}
+}
+
+func findGenName(t *testing.T, client client.Client, ns, name, typ string) (full, noSuffix string) {
+	t.Helper()
+	labels := map[string]string{
+		LabelManaged:         "true",
+		LabelParentName:      name,
+		LabelParentNamespace: ns,
+		LabelParentType:      typ,
+	}
+	s, err := getSingleObject[corev1.Secret](context.Background(), client, "operator-ns", labels)
+	if err != nil {
+		t.Fatalf("finding secret for %q: %v", name, err)
+	}
+	if s == nil {
+		t.Fatalf("no secret found for %q %s %+#v", name, ns, labels)
+	}
+	return s.GetName(), strings.TrimSuffix(s.GetName(), "-0")
+}
+
+func mustCreate(t *testing.T, client client.Client, obj client.Object) {
+	t.Helper()
+	if err := client.Create(context.Background(), obj); err != nil {
+		t.Fatalf("creating %q: %v", obj.GetName(), err)
+	}
+}
+
+func mustUpdate[T any, O ptrObject[T]](t *testing.T, client client.Client, ns, name string, update func(O)) {
+	t.Helper()
+	obj := O(new(T))
+	if err := client.Get(context.Background(), types.NamespacedName{
+		Name:      name,
+		Namespace: ns,
+	}, obj); err != nil {
+		t.Fatalf("getting %q: %v", name, err)
+	}
+	update(obj)
+	if err := client.Update(context.Background(), obj); err != nil {
+		t.Fatalf("updating %q: %v", name, err)
+	}
+}
+
+func mustUpdateStatus[T any, O ptrObject[T]](t *testing.T, client client.Client, ns, name string, update func(O)) {
+	t.Helper()
+	obj := O(new(T))
+	if err := client.Get(context.Background(), types.NamespacedName{
+		Name:      name,
+		Namespace: ns,
+	}, obj); err != nil {
+		t.Fatalf("getting %q: %v", name, err)
+	}
+	update(obj)
+	if err := client.Status().Update(context.Background(), obj); err != nil {
+		t.Fatalf("updating %q: %v", name, err)
+	}
+}
+
+func expectEqual[T any, O ptrObject[T]](t *testing.T, client client.Client, want O) {
+	t.Helper()
+	got := O(new(T))
+	if err := client.Get(context.Background(), types.NamespacedName{
+		Name:      want.GetName(),
+		Namespace: want.GetNamespace(),
+	}, got); err != nil {
+		t.Fatalf("getting %q: %v", want.GetName(), err)
+	}
+	// The resource version changes eagerly whenever the operator does even a
+	// no-op update. Asserting a specific value leads to overly brittle tests,
+	// so just remove it from both got and want.
+	got.SetResourceVersion("")
+	want.SetResourceVersion("")
+	if diff := cmp.Diff(got, want); diff != "" {
+		t.Fatalf("unexpected object (-got +want):\n%s", diff)
+	}
+}
+
+func expectMissing[T any, O ptrObject[T]](t *testing.T, client client.Client, ns, name string) {
+	t.Helper()
+	obj := O(new(T))
+	if err := client.Get(context.Background(), types.NamespacedName{
+		Name:      name,
+		Namespace: ns,
+	}, obj); !apierrors.IsNotFound(err) {
+		t.Fatalf("object %s/%s unexpectedly present, wanted missing", ns, name)
+	}
+}
+
+func expectReconciled(t *testing.T, sr reconcile.Reconciler, ns, name string) {
+	t.Helper()
+	req := reconcile.Request{
+		NamespacedName: types.NamespacedName{
+			Namespace: ns,
+			Name:      name,
+		},
+	}
+	res, err := sr.Reconcile(context.Background(), req)
+	if err != nil {
+		t.Fatalf("Reconcile: unexpected error: %v", err)
+	}
+	if res.Requeue {
+		t.Fatalf("unexpected immediate requeue")
+	}
+	if res.RequeueAfter != 0 {
+		t.Fatalf("unexpected timed requeue (%v)", res.RequeueAfter)
+	}
+}
+
+func expectRequeue(t *testing.T, sr reconcile.Reconciler, ns, name string) {
+	t.Helper()
+	req := reconcile.Request{
+		NamespacedName: types.NamespacedName{
+			Name:      name,
+			Namespace: ns,
+		},
+	}
+	res, err := sr.Reconcile(context.Background(), req)
+	if err != nil {
+		t.Fatalf("Reconcile: unexpected error: %v", err)
+	}
+	if res.RequeueAfter == 0 {
+		t.Fatalf("expected timed requeue, got success")
+	}
+}
+
+type stsOpts struct {
+	name              string
+	secretName        string
+	hostname          string
+	priorityClassName string
+	firewallMode      string
+	tailnetTargetIP   string
+	tailnetTargetFQDN string
+}
+
+type fakeTSClient struct {
+	sync.Mutex
+	keyRequests []tailscale.KeyCapabilities
+	deleted     []string
+}
+
+func (c *fakeTSClient) CreateKey(ctx context.Context, caps tailscale.KeyCapabilities) (string, *tailscale.Key, error) {
+	c.Lock()
+	defer c.Unlock()
+	c.keyRequests = append(c.keyRequests, caps)
+	k := &tailscale.Key{
+		ID:           "key",
+		Created:      time.Now(),
+		Capabilities: caps,
+	}
+	return "secret-authkey", k, nil
+}
+
+func (c *fakeTSClient) DeleteDevice(ctx context.Context, deviceID string) error {
+	c.Lock()
+	defer c.Unlock()
+	c.deleted = append(c.deleted, deviceID)
+	return nil
+}
+
+func (c *fakeTSClient) KeyRequests() []tailscale.KeyCapabilities {
+	c.Lock()
+	defer c.Unlock()
+	return c.keyRequests
+}
+
+func (c *fakeTSClient) Deleted() []string {
+	c.Lock()
+	defer c.Unlock()
+	return c.deleted
+}
+
 func Test_isMagicDNSName(t *testing.T) {
 	tests := []struct {
 		in   string
--- a/cmd/k8s-operator/proxy.go
+++ b/cmd/k8s-operator/proxy.go
@@ -6,16 +6,25 @@
 package main

 import (
+	"bufio"
 	"context"
 	"crypto/tls"
+	"encoding/json"
 	"fmt"
+	"io"
 	"log"
+	"net"
 	"net/http"
 	"net/http/httputil"
+	"net/textproto"
 	"net/url"
 	"os"
+	"path"
 	"strings"
+	"sync"
+	"time"

+	"github.com/pkg/errors"
 	"go.uber.org/zap"
 	"k8s.io/client-go/rest"
 	"k8s.io/client-go/transport"
@@ -87,9 +96,9 @@ func maybeLaunchAPIServerProxy(zlog *zap.SugaredLogger, restConfig *rest.Config,
 		return
 	}
 	startlog := zlog.Named("launchAPIProxy")
-	if mode == apiserverProxyModeNoAuth {
-		restConfig = rest.AnonymousClientConfig(restConfig)
-	}
+	// if mode == apiserverProxyModeNoAuth {
+	// 	restConfig = rest.AnonymousClientConfig(restConfig)
+	// }
 	cfg, err := restConfig.TransportConfig()
 	if err != nil {
 		startlog.Fatalf("could not get rest.TransportConfig(): %v", err)
@@ -108,15 +117,89 @@ func maybeLaunchAPIServerProxy(zlog *zap.SugaredLogger, restConfig *rest.Config,
 	if err != nil {
 		startlog.Fatalf("could not get rest.TransportConfig(): %v", err)
 	}
-	go runAPIServerProxy(s, rt, zlog.Named("apiserver-proxy"), mode)
+	go runAPIServerProxy(s, rt, zlog.Named("apiserver-proxy"), mode, restConfig.Host)
 }

 // apiserverProxy is an http.Handler that authenticates requests using the Tailscale
 // LocalAPI and then proxies them to the Kubernetes API.
 type apiserverProxy struct {
-	log *zap.SugaredLogger
-	lc  *tailscale.LocalClient
-	rp  *httputil.ReverseProxy
+	log  *zap.SugaredLogger
+	lc   *tailscale.LocalClient
+	rp   *httputil.ReverseProxy
+	mode apiServerProxyMode
+
+	upstreamURL    *url.URL
+	upstreamClient *http.Client
+}
+
+// Hop-by-hop headers. These are removed when sent to the backend.
+// As of RFC 7230, hop-by-hop headers are required to appear in the
+// Connection header field. These are the headers defined by the
+// obsoleted RFC 2616 (section 13.5.1) and are used for backward
+// compatibility.
+var hopHeaders = []string{
+	"Connection",
+	"Proxy-Connection", // non-standard but still sent by libcurl and rejected by e.g. google
+	"Keep-Alive",
+	"Proxy-Authenticate",
+	"Proxy-Authorization",
+	"Te",      // canonicalized version of "TE"
+	"Trailer", // not Trailers per URL above; https://www.rfc-editor.org/errata_search.php?eid=4522
+	"Transfer-Encoding",
+	"Upgrade",
+}
+
+// removeHopByHopHeaders removes hop-by-hop headers.
+func removeHopByHopHeaders(h http.Header) {
+	// RFC 7230, section 6.1: Remove headers listed in the "Connection" header.
+	for _, f := range h["Connection"] {
+		for _, sf := range strings.Split(f, ",") {
+			if sf = textproto.TrimString(sf); sf != "" {
+				h.Del(sf)
+			}
+		}
+	}
+	// RFC 2616, section 13.5.1: Remove a set of known hop-by-hop headers.
+	// This behavior is superseded by the RFC 7230 Connection header, but
+	// preserve it for backwards compatibility.
+	for _, f := range hopHeaders {
+		h.Del(f)
+	}
+}
+
+func (h *apiserverProxy) addImpersonationHeadersAsRequired(r *http.Request) {
+	// Replace the URL with the Kubernetes APIServer.
+
+	r.URL.Scheme = h.upstreamURL.Scheme
+	r.URL.Host = h.upstreamURL.Host
+	if h.mode == apiserverProxyModeNoAuth {
+		// If we are not providing authentication, then we are just
+		// proxying to the Kubernetes API, so we don't need to do
+		// anything else.
+		return
+	}
+
+	// We want to proxy to the Kubernetes API, but we want to use
+	// the caller's identity to do so. We do this by impersonating
+	// the caller using the Kubernetes User Impersonation feature:
+	// https://kubernetes.io/docs/reference/access-authn-authz/authentication/#user-impersonation
+
+	// Out of paranoia, remove all authentication headers that might
+	// have been set by the client.
+	r.Header.Del("Authorization")
+	r.Header.Del("Impersonate-Group")
+	r.Header.Del("Impersonate-User")
+	r.Header.Del("Impersonate-Uid")
+	for k := range r.Header {
+		if strings.HasPrefix(k, "Impersonate-Extra-") {
+			r.Header.Del(k)
+		}
+	}
+
+	// Now add the impersonation headers that we want.
+	if err := addImpersonationHeaders(r, h.log); err != nil {
+		panic("failed to add impersonation headers: " + err.Error())
+	}
 }

 func (h *apiserverProxy) ServeHTTP(w http.ResponseWriter, r *http.Request) {
@@ -127,7 +210,84 @@ func (h *apiserverProxy) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 	counterNumRequestsProxied.Add(1)
-	h.rp.ServeHTTP(w, addWhoIsToRequest(r, who))
+	r = addWhoIsToRequest(r, who)
+	if r.Method != "POST" || path.Base(r.URL.Path) != "exec" { // also check for pod
+		h.rp.ServeHTTP(w, r)
+		return
+	}
+	// hj := w.(http.Hijacker)
+	// reqConn, brw, err := hj.Hijack()
+	// if err != nil {
+	// 	return
+	// }
+	// defer reqConn.Close()
+	// if err := brw.Flush(); err != nil {
+	// 	return
+	// }
+	// reqConn = netutil.NewDrainBufConn(reqConn, brw.Reader)
+	// respConn, err := net.Dial("tcp", h.upstreamURL.Host)
+	// if err != nil {
+	// 	h.log.Errorf("failed to dial upstream: %v", err)
+	// 	return
+	// }
+	// defer respConn.Close()
+
+	req2 := r.Clone(r.Context())
+	h.addImpersonationHeadersAsRequired(req2)
+
+	req2.Body = io.NopCloser(io.TeeReader(r.Body, os.Stdout))
+	defer r.Body.Close()
+
+	h.rp.ServeHTTP(&teeResponseWriter{
+		ResponseWriter: w,
+		hj:             w.(http.Hijacker),
+		multiWriter:    io.MultiWriter(os.Stdout, w),
+	}, req2)
+}
+
+type teeResponseWriter struct {
+	http.ResponseWriter
+	hj          http.Hijacker
+	multiWriter io.Writer
+}
+
+func (w *teeResponseWriter) Hijack() (net.Conn, *bufio.ReadWriter, error) {
+	reqConn, brw, err := w.hj.Hijack()
+	if err != nil {
+		return nil, nil, err
+	}
+	f, err := os.OpenFile("/tmp/recording.cast", os.O_CREATE|os.O_WRONLY, 0644)
+	if err != nil {
+		return nil, nil, err
+	}
+	r := &recording{
+		start:    time.Now(),
+		failOpen: true,
+		out:      f,
+	}
+	lc := &loggingConn{Conn: reqConn, lw: &loggingWriter{
+		r:                   r,
+		recordingFailedOpen: false,
+	}}
+
+	ch := CastHeader{
+		Version:   2,
+		Timestamp: r.start.Unix(),
+	}
+	j, err := json.Marshal(ch)
+	if err != nil {
+		return nil, nil, err
+	}
+	j = append(j, '\n')
+	if _, err := f.Write(j); err != nil {
+		return nil, nil, err
+	}
+
+	return lc, brw, nil
+}
+
+func (w *teeResponseWriter) Write(b []byte) (int, error) {
+	return w.multiWriter.Write(b)
 }

 // runAPIServerProxy runs an HTTP server that authenticates requests using the
@@ -144,7 +304,7 @@ func (h *apiserverProxy) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 //     are passed through to the Kubernetes API.
 //
 // It never returns.
-func runAPIServerProxy(s *tsnet.Server, rt http.RoundTripper, log *zap.SugaredLogger, mode apiServerProxyMode) {
+func runAPIServerProxy(s *tsnet.Server, rt http.RoundTripper, log *zap.SugaredLogger, mode apiServerProxyMode, host string) {
 	if mode == apiserverProxyModeDisabled {
 		return
 	}
@@ -152,7 +312,7 @@ func runAPIServerProxy(s *tsnet.Server, rt http.RoundTripper, log *zap.SugaredLo
 	if err != nil {
 		log.Fatalf("could not listen on :443: %v", err)
 	}
-	u, err := url.Parse(fmt.Sprintf("https://%s:%s", os.Getenv("KUBERNETES_SERVICE_HOST"), os.Getenv("KUBERNETES_SERVICE_PORT_HTTPS")))
+	u, err := url.Parse(host)
 	if err != nil {
 		log.Fatalf("runAPIServerProxy: failed to parse URL %v", err)
 	}
@@ -162,45 +322,16 @@ func runAPIServerProxy(s *tsnet.Server, rt http.RoundTripper, log *zap.SugaredLo
 		log.Fatalf("could not get local client: %v", err)
 	}
 	ap := &apiserverProxy{
-		log: log,
-		lc:  lc,
-		rp: &httputil.ReverseProxy{
-			Rewrite: func(r *httputil.ProxyRequest) {
-				// Replace the URL with the Kubernetes APIServer.
-
-				r.Out.URL.Scheme = u.Scheme
-				r.Out.URL.Host = u.Host
-				if mode == apiserverProxyModeNoAuth {
-					// If we are not providing authentication, then we are just
-					// proxying to the Kubernetes API, so we don't need to do
-					// anything else.
-					return
-				}
-
-				// We want to proxy to the Kubernetes API, but we want to use
-				// the caller's identity to do so. We do this by impersonating
-				// the caller using the Kubernetes User Impersonation feature:
-				// https://kubernetes.io/docs/reference/access-authn-authz/authentication/#user-impersonation
-
-				// Out of paranoia, remove all authentication headers that might
-				// have been set by the client.
-				r.Out.Header.Del("Authorization")
-				r.Out.Header.Del("Impersonate-Group")
-				r.Out.Header.Del("Impersonate-User")
-				r.Out.Header.Del("Impersonate-Uid")
-				for k := range r.Out.Header {
-					if strings.HasPrefix(k, "Impersonate-Extra-") {
-						r.Out.Header.Del(k)
-					}
-				}
-
-				// Now add the impersonation headers that we want.
-				if err := addImpersonationHeaders(r.Out, log); err != nil {
-					panic("failed to add impersonation headers: " + err.Error())
-				}
-			},
-			Transport: rt,
+		log:         log,
+		lc:          lc,
+		mode:        mode,
+		upstreamURL: u,
+	}
+	ap.rp = &httputil.ReverseProxy{
+		Rewrite: func(pr *httputil.ProxyRequest) {
+			ap.addImpersonationHeadersAsRequired(pr.Out)
 		},
+		Transport: rt,
 	}
 	hs := &http.Server{
 		// Kubernetes uses SPDY for exec and port-forward, however SPDY is
@@ -285,3 +416,151 @@ func addImpersonationHeaders(r *http.Request, log *zap.SugaredLogger) error {
 	}
 	return nil
 }
+
+// CastHeader is the header of an asciinema file.
+type CastHeader struct {
+	// Version is the asciinema file format version.
+	Version int `json:"version"`
+
+	// Width is the terminal width in characters.
+	// It is non-zero for Pty sessions.
+	Width int `json:"width"`
+
+	// Height is the terminal height in characters.
+	// It is non-zero for Pty sessions.
+	Height int `json:"height"`
+
+	// Timestamp is the unix timestamp of when the recording started.
+	Timestamp int64 `json:"timestamp"`
+
+	// Env is the environment variables of the session.
+	// Only "TERM" is set (2023-03-22).
+	Env map[string]string `json:"env"`
+
+	// Command is the command that was executed.
+	// Typically empty for shell sessions.
+	Command string `json:"command,omitempty"`
+
+	// Tailscale-specific fields:
+	// SrcNode is the FQDN of the node originating the connection.
+	// It is also the MagicDNS name for the node.
+	// It does not have a trailing dot.
+	// e.g. "host.tail-scale.ts.net"
+	SrcNode string `json:"srcNode"`
+
+	// SrcNodeID is the node ID of the node originating the connection.
+	SrcNodeID tailcfg.StableNodeID `json:"srcNodeID"`
+
+	// SrcNodeTags is the list of tags on the node originating the connection (if any).
+	SrcNodeTags []string `json:"srcNodeTags,omitempty"`
+
+	// SrcNodeUserID is the user ID of the node originating the connection (if not tagged).
+	SrcNodeUserID tailcfg.UserID `json:"srcNodeUserID,omitempty"` // if not tagged
+
+	// SrcNodeUser is the LoginName of the node originating the connection (if not tagged).
+	SrcNodeUser string `json:"srcNodeUser,omitempty"`
+
+	// SSHUser is the username as presented by the client.
+	SSHUser string `json:"sshUser"` // as presented by the client
+
+	// LocalUser is the effective username on the server.
+	LocalUser string `json:"localUser"`
+
+	// ConnectionID uniquely identifies a connection made to the SSH server.
+	// It may be shared across multiple sessions over the same connection in
+	// case of SSH multiplexing.
+	ConnectionID string `json:"connectionID"`
+}
+
+// loggingWriter is an io.Writer wrapper that writes first an
+// asciinema JSON cast format recording line, and then writes to w.
+type loggingWriter struct {
+	r *recording
+
+	// recordingFailedOpen specifies whether we've failed to write to
+	// r.out and should stop trying. It is set to true if we fail to write
+	// to r.out and r.failOpen is set.
+	recordingFailedOpen bool
+}
+
+func (w *loggingWriter) Write(p []byte) (n int, err error) {
+	if w.recordingFailedOpen {
+		return 0, nil
+	}
+	j, err := json.Marshal([]any{
+		time.Since(w.r.start).Seconds(),
+		"o",
+		string(p),
+	})
+	if err != nil {
+		return 0, err
+	}
+	j = append(j, '\n')
+	if err := w.writeCastLine(j); err != nil {
+		if !w.r.failOpen {
+			return 0, err
+		}
+		w.recordingFailedOpen = true
+	}
+	return len(p), nil
+}
+
+func (w *loggingWriter) writeCastLine(j []byte) error {
+	w.r.mu.Lock()
+	defer w.r.mu.Unlock()
+	if w.r.out == nil {
+		return errors.New("logger closed")
+	}
+	_, err := w.r.out.Write(j)
+	if err != nil {
+		return fmt.Errorf("logger Write: %w", err)
+	}
+	return nil
+}
+
+type loggingConn struct {
+	mu     sync.Mutex // guards writes to r.out
+	closed bool
+	net.Conn
+	lw *loggingWriter
+}
+
+func (c *loggingConn) Write(b []byte) (int, error) {
+	n, err := c.Conn.Write(b)
+	c.lw.Write(b[:n])
+	return n, err
+}
+
+func (c *loggingConn) Close() error {
+	c.mu.Lock()
+	defer c.mu.Unlock()
+	if c.closed {
+		return nil
+	}
+	c.closed = true
+	c.lw.r.Close()
+	return c.Conn.Close()
+}
+
+// recording is the state for an SSH session recording.
+type recording struct {
+	start time.Time
+
+	// failOpen specifies whether the session should be allowed to
+	// continue if writing to the recording fails.
+	failOpen bool
+
+	mu  sync.Mutex // guards writes to, close of out
+	out io.WriteCloser
+}
+
+func (r *recording) Close() error {
+	r.mu.Lock()
+	defer r.mu.Unlock()
+	if r.out == nil {
+		return nil
+	}
+	err := r.out.Close()
+	r.out = nil
+	return err
+}
--- a/cmd/k8s-operator/sts.go
+++ b/cmd/k8s-operator/sts.go
@@ -7,11 +7,11 @@ package main

 import (
 	"context"
-	"crypto/sha256"
 	_ "embed"
 	"encoding/json"
 	"errors"
 	"fmt"
+	"log"
 	"net/http"
 	"os"
 	"strings"
@@ -27,7 +27,6 @@ import (
 	"sigs.k8s.io/yaml"
 	"tailscale.com/client/tailscale"
 	"tailscale.com/ipn"
-	"tailscale.com/net/netutil"
 	"tailscale.com/tailcfg"
 	"tailscale.com/tsnet"
 	"tailscale.com/types/opt"
@@ -56,17 +55,12 @@ const (
 	AnnotationFunnel = "tailscale.com/funnel"

 	// Annotations set by the operator on pods to trigger restarts when the
-	// hostname, IP, FQDN or tailscaled config changes.
+	// hostname, IP or FQDN changes.
 	podAnnotationLastSetClusterIP         = "tailscale.com/operator-last-set-cluster-ip"
 	podAnnotationLastSetHostname          = "tailscale.com/operator-last-set-hostname"
 	podAnnotationLastSetTailnetTargetIP   = "tailscale.com/operator-last-set-ts-tailnet-target-ip"
 	podAnnotationLastSetTailnetTargetFQDN = "tailscale.com/operator-last-set-ts-tailnet-target-fqdn"
-	// podAnnotationLastSetConfigFileHash is sha256 hash of the current tailscaled configuration contents.
-	podAnnotationLastSetConfigFileHash = "tailscale.com/operator-last-set-config-file-hash"
-
-	// tailscaledConfigKey is the name of the key in proxy Secret Data that
-	// holds the tailscaled config contents.
-	tailscaledConfigKey = "tailscaled"
+	podAnnotationLastSetConfigFileHash    = "tailscale.com/operator-last-set-config-file-hash"
 )

 type tailscaleSTSConfig struct {
@@ -74,12 +68,15 @@ type tailscaleSTSConfig struct {
 	ParentResourceUID   string
 	ChildResourceLabels map[string]string

-	ServeConfig     *ipn.ServeConfig
-	ClusterTargetIP string // ingress target
+	ServeConfig *ipn.ServeConfig
+	// Tailscale target in cluster we are setting up ingress for
+	ClusterTargetIP string

-	TailnetTargetIP string // egress target IP
+	// Tailscale IP of a Tailscale service we are setting up egress for
+	TailnetTargetIP string

-	TailnetTargetFQDN string // egress target FQDN
+	// Tailscale FQDN of a Tailscale service we are setting up egress for
+	TailnetTargetFQDN string

 	Hostname string
 	Tags     []string // if empty, use defaultTags
@@ -87,6 +84,9 @@ type tailscaleSTSConfig struct {
 	// Connector specifies a configuration of a Connector instance if that's
 	// what this StatefulSet should be created for.
 	Connector *connector
+
+	// temp fix whilst prototyping, remove
+	key string
 }

 type connector struct {
@@ -123,17 +123,17 @@ func (a *tailscaleSTSReconciler) IsHTTPSEnabledOnTailnet() bool {
 // up to date.
 func (a *tailscaleSTSReconciler) Provision(ctx context.Context, logger *zap.SugaredLogger, sts *tailscaleSTSConfig) (*corev1.Service, error) {
 	// Do full reconcile.
-	// TODO (don't create Service for the Connector)
 	hsvc, err := a.reconcileHeadlessService(ctx, logger, sts)
 	if err != nil {
 		return nil, fmt.Errorf("failed to reconcile headless service: %w", err)
 	}

-	secretName, tsConfigHash, err := a.createOrGetSecret(ctx, logger, sts, hsvc)
+	secretName, key, err := a.createOrGetSecret(ctx, logger, sts, hsvc)
 	if err != nil {
 		return nil, fmt.Errorf("failed to create or get API key secret: %w", err)
 	}
-	_, err = a.reconcileSTS(ctx, logger, sts, hsvc, secretName, tsConfigHash)
+	sts.key = key
+	_, err = a.reconcileSTS(ctx, logger, sts, hsvc, secretName)
 	if err != nil {
 		return nil, fmt.Errorf("failed to reconcile statefulset: %w", err)
 	}
@@ -266,9 +266,7 @@ func (a *tailscaleSTSReconciler) createOrGetSecret(ctx context.Context, logger *
 		return "", "", err
 	}

-	var (
-		authKey, hash string
-	)
+	var authKey string
 	if orig == nil {
 		// Secret doesn't exist yet, create one. Initially it contains
 		// only the Tailscale authkey, but once Tailscale starts it'll
@@ -290,21 +288,14 @@ func (a *tailscaleSTSReconciler) createOrGetSecret(ctx context.Context, logger *
 		if len(tags) == 0 {
 			tags = a.defaultTags
 		}
-		authKey, err = a.newAuthKey(ctx, tags)
+		authKey, err := a.newAuthKey(ctx, tags)
 		if err != nil {
 			return "", "", err
 		}
-	}
-	if !shouldDoTailscaledDeclarativeConfig(stsC) && authKey != "" {
+
 		mak.Set(&secret.StringData, "authkey", authKey)
-	}
-	if shouldDoTailscaledDeclarativeConfig(stsC) {
-		confFileBytes, h, err := tailscaledConfig(stsC, authKey, orig)
-		if err != nil {
-			return "", "", fmt.Errorf("error creating tailscaled config: %w", err)
-		}
-		hash = h
-		mak.Set(&secret.StringData, tailscaledConfigKey, string(confFileBytes))
+	} else {
+		authKey = string(orig.Data["authkey"])
 	}
 	if stsC.ServeConfig != nil {
 		j, err := json.Marshal(stsC.ServeConfig)
@@ -313,19 +304,18 @@ func (a *tailscaleSTSReconciler) createOrGetSecret(ctx context.Context, logger *
 		}
 		mak.Set(&secret.StringData, "serve-config", string(j))
 	}
-
 	if orig != nil {
-		logger.Debugf("patching existing state Secret with values %s", secret.Data[tailscaledConfigKey])
+		log.Printf("Patching existing secret %s", secret.Name)
 		if err := a.Patch(ctx, secret, client.MergeFrom(orig)); err != nil {
 			return "", "", err
 		}
 	} else {
-		logger.Debugf("creating new state Secret with authkey %s", secret.Data[tailscaledConfigKey])
 		if err := a.Create(ctx, secret); err != nil {
-			return "", "", err
+			return "", authKey, err
 		}
+		log.Printf("Created secret %s", secret.Name)
 	}
-	return secret.Name, hash, nil
+	return secret.Name, authKey, nil
 }

 // DeviceInfo returns the device ID and hostname for the Tailscale device
@@ -353,6 +343,7 @@ func (a *tailscaleSTSReconciler) DeviceInfo(ctx context.Context, childLabels map
 			return "", "", nil, err
 		}
 	}
+
 	return id, hostname, ips, nil
 }

@@ -380,7 +371,7 @@ var proxyYaml []byte
 //go:embed deploy/manifests/userspace-proxy.yaml
 var userspaceProxyYaml []byte

-func (a *tailscaleSTSReconciler) reconcileSTS(ctx context.Context, logger *zap.SugaredLogger, sts *tailscaleSTSConfig, headlessSvc *corev1.Service, proxySecret, tsConfigHash string) (*appsv1.StatefulSet, error) {
+func (a *tailscaleSTSReconciler) reconcileSTS(ctx context.Context, logger *zap.SugaredLogger, sts *tailscaleSTSConfig, headlessSvc *corev1.Service, authKeySecret string) (*appsv1.StatefulSet, error) {
 	var ss appsv1.StatefulSet
 	if sts.ServeConfig != nil {
 		if err := yaml.Unmarshal(userspaceProxyYaml, &ss); err != nil {
@@ -400,90 +391,32 @@ func (a *tailscaleSTSReconciler) reconcileSTS(ctx context.Context, logger *zap.S
 	}
 	container := &ss.Spec.Template.Spec.Containers[0]
 	container.Image = a.proxyImage
-	ss.ObjectMeta = metav1.ObjectMeta{
-		Name:      headlessSvc.Name,
-		Namespace: a.operatorNamespace,
-		Labels:    sts.ChildResourceLabels,
-	}
-	ss.Spec.ServiceName = headlessSvc.Name
-	ss.Spec.Selector = &metav1.LabelSelector{
-		MatchLabels: map[string]string{
-			"app": sts.ParentResourceUID,
-		},
-	}
-	mak.Set(&ss.Spec.Template.Labels, "app", sts.ParentResourceUID)
-
-	// Generic containerboot configuration options.
 	container.Env = append(container.Env,
 		corev1.EnvVar{
 			Name:  "TS_KUBE_SECRET",
-			Value: proxySecret,
+			Value: authKeySecret,
 		},
-	)
-	if !shouldDoTailscaledDeclarativeConfig(sts) {
-		container.Env = append(container.Env, corev1.EnvVar{
+		corev1.EnvVar{
 			Name:  "TS_HOSTNAME",
 			Value: sts.Hostname,
 		})
-		// containerboot currently doesn't have a way to re-read the hostname/ip as
-		// it is passed via an environment variable. So we need to restart the
-		// container when the value changes. We do this by adding an annotation to
-		// the pod template that contains the last value we set.
-		mak.Set(&ss.Spec.Template.Annotations, podAnnotationLastSetHostname, sts.Hostname)
-	}
-	// Configure containeboot to run tailscaled with a configfile read from the state Secret.
-	if shouldDoTailscaledDeclarativeConfig(sts) {
-		mak.Set(&ss.Spec.Template.Annotations, podAnnotationLastSetConfigFileHash, tsConfigHash)
-		ss.Spec.Template.Spec.Volumes = append(ss.Spec.Template.Spec.Volumes, corev1.Volume{
-			Name: "tailscaledconfig",
-			VolumeSource: corev1.VolumeSource{
-				Secret: &corev1.SecretVolumeSource{
-					SecretName: proxySecret,
-					Items: []corev1.KeyToPath{{
-						Key:  tailscaledConfigKey,
-						Path: tailscaledConfigKey,
-					}},
-				},
-			},
-		})
-		container.VolumeMounts = append(container.VolumeMounts, corev1.VolumeMount{
-			Name:      "tailscaledconfig",
-			ReadOnly:  true,
-			MountPath: "/etc/tsconfig",
-		})
-		container.Env = append(container.Env, corev1.EnvVar{
-			Name:  "EXPERIMENTAL_TS_CONFIGFILE_PATH",
-			Value: "/etc/tsconfig/tailscaled",
-		})
-	}

-	if a.tsFirewallMode != "" {
-		container.Env = append(container.Env, corev1.EnvVar{
-			Name:  "TS_DEBUG_FIREWALL_MODE",
-			Value: a.tsFirewallMode,
-		})
-	}
-	ss.Spec.Template.Spec.PriorityClassName = a.proxyPriorityClassName
-
-	// Ingress/egress proxy configuration options.
+	var configFileHash string
 	if sts.ClusterTargetIP != "" {
 		container.Env = append(container.Env, corev1.EnvVar{
 			Name:  "TS_DEST_IP",
 			Value: sts.ClusterTargetIP,
 		})
-		mak.Set(&ss.Spec.Template.Annotations, podAnnotationLastSetClusterIP, sts.ClusterTargetIP)
 	} else if sts.TailnetTargetIP != "" {
 		container.Env = append(container.Env, corev1.EnvVar{
 			Name:  "TS_TAILNET_TARGET_IP",
 			Value: sts.TailnetTargetIP,
 		})
-		mak.Set(&ss.Spec.Template.Annotations, podAnnotationLastSetTailnetTargetIP, sts.TailnetTargetIP)
 	} else if sts.TailnetTargetFQDN != "" {
 		container.Env = append(container.Env, corev1.EnvVar{
 			Name:  "TS_TAILNET_TARGET_FQDN",
 			Value: sts.TailnetTargetFQDN,
 		})
-		mak.Set(&ss.Spec.Template.Annotations, podAnnotationLastSetTailnetTargetFQDN, sts.TailnetTargetFQDN)
 	} else if sts.ServeConfig != nil {
 		container.Env = append(container.Env, corev1.EnvVar{
 			Name:  "TS_SERVE_CONFIG",
@@ -498,7 +431,7 @@ func (a *tailscaleSTSReconciler) reconcileSTS(ctx context.Context, logger *zap.S
 			Name: "serve-config",
 			VolumeSource: corev1.VolumeSource{
 				Secret: &corev1.SecretVolumeSource{
-					SecretName: proxySecret,
+					SecretName: authKeySecret,
 					Items: []corev1.KeyToPath{{
 						Key:  "serve-config",
 						Path: "serve-config",
@@ -506,48 +439,91 @@ func (a *tailscaleSTSReconciler) reconcileSTS(ctx context.Context, logger *zap.S
 				},
 			},
 		})
+	} else if sts.Connector != nil {
+		// TODO: definitely not the right place for this
+		var err error
+		configFileHash, err = a.tsConfigCM(ctx, headlessSvc.Name, a.operatorNamespace, logger, sts)
+		if err != nil {
+			return nil, fmt.Errorf("failed to create configmap: %w", err)
+		}
+		container.Env = append(container.Env, corev1.EnvVar{
+			Name:  "TS_CONFIGFILE_PATH",
+			Value: "/tsconfig/tailscaled",
+		})
+		ss.Spec.Template.Spec.Volumes = append(ss.Spec.Template.Spec.Volumes, corev1.Volume{
+			Name: "configfile",
+			VolumeSource: corev1.VolumeSource{
+				ConfigMap: &corev1.ConfigMapVolumeSource{
+					LocalObjectReference: corev1.LocalObjectReference{
+						Name: headlessSvc.Name,
+					},
+				},
+			},
+		})
+		container.VolumeMounts = append(container.VolumeMounts, corev1.VolumeMount{
+			Name:      "configfile",
+			MountPath: "/tsconfig",
+		})
+		if sts.key != "" {
+
+		}
+		// We need to provide these env vars even if the values are empty to
+		// ensure that a transition from a Connector with a defined subnet
+		// router or exit node to one without succeeds.
+		// container.Env = append(container.Env, corev1.EnvVar{
+		// 	Name:  "TS_EXTRA_ARGS",
+		// 	Value: fmt.Sprintf("--advertise-exit-node=%v", sts.Connector.isExitNode),
+		// })
+		// container.Env = append(container.Env, corev1.EnvVar{
+		// 	Name:  "TS_ROUTES",
+		// 	Value: sts.Connector.routes,
+		// })
 	}
+	if a.tsFirewallMode != "" {
+		container.Env = append(container.Env, corev1.EnvVar{
+			Name:  "TS_DEBUG_FIREWALL_MODE",
+			Value: a.tsFirewallMode,
+		})
+	}
+	ss.ObjectMeta = metav1.ObjectMeta{
+		Name:      headlessSvc.Name,
+		Namespace: a.operatorNamespace,
+		Labels:    sts.ChildResourceLabels,
+	}
+	ss.Spec.ServiceName = headlessSvc.Name
+	ss.Spec.Selector = &metav1.LabelSelector{
+		MatchLabels: map[string]string{
+			"app": sts.ParentResourceUID,
+		},
+	}
+
+	// containerboot currently doesn't have a way to re-read the hostname/ip as
+	// it is passed via an environment variable. So we need to restart the
+	// container when the value changes. We do this by adding an annotation to
+	// the pod template that contains the last value we set.
+	ss.Spec.Template.Annotations = map[string]string{
+		podAnnotationLastSetHostname: sts.Hostname,
+	}
+	if sts.ClusterTargetIP != "" {
+		ss.Spec.Template.Annotations[podAnnotationLastSetClusterIP] = sts.ClusterTargetIP
+	}
+	if sts.TailnetTargetIP != "" {
+		ss.Spec.Template.Annotations[podAnnotationLastSetTailnetTargetIP] = sts.TailnetTargetIP
+	}
+	if sts.TailnetTargetFQDN != "" {
+		ss.Spec.Template.Annotations[podAnnotationLastSetTailnetTargetFQDN] = sts.TailnetTargetFQDN
+	}
+	if configFileHash != "" {
+		ss.Spec.Template.Annotations[podAnnotationLastSetTailnetTargetFQDN] = configFileHash
+	}
+	ss.Spec.Template.Labels = map[string]string{
+		"app": sts.ParentResourceUID,
+	}
+	ss.Spec.Template.Spec.PriorityClassName = a.proxyPriorityClassName
 	logger.Debugf("reconciling statefulset %s/%s", ss.GetNamespace(), ss.GetName())
 	return createOrUpdate(ctx, a.Client, a.operatorNamespace, &ss, func(s *appsv1.StatefulSet) { s.Spec = ss.Spec })
 }

-// tailscaledConfig takes a proxy config, a newly generated auth key if
-// generated and a Secret with the previous proxy state and auth key and
-// produces returns tailscaled configuration and a hash of that configuration.
-func tailscaledConfig(stsC *tailscaleSTSConfig, newAuthkey string, oldSecret *corev1.Secret) ([]byte, string, error) {
-	conf := ipn.ConfigVAlpha{
-		Version:   "alpha0",
-		AcceptDNS: "false",
-		Locked:    "false",
-		Hostname:  &stsC.Hostname,
-	}
-	if stsC.Connector != nil {
-		routes, err := netutil.CalcAdvertiseRoutes(stsC.Connector.routes, stsC.Connector.isExitNode)
-		if err != nil {
-			return nil, "", fmt.Errorf("error calculating routes: %w", err)
-		}
-		conf.AdvertiseRoutes = routes
-	}
-	if newAuthkey != "" {
-		conf.AuthKey = &newAuthkey
-	} else if oldSecret != nil && len(oldSecret.Data[tailscaledConfigKey]) > 0 { // write to StringData, read from Data as StringData is write-only
-		origConf := &ipn.ConfigVAlpha{}
-		if err := json.Unmarshal([]byte(oldSecret.Data[tailscaledConfigKey]), origConf); err != nil {
-			return nil, "", fmt.Errorf("error unmarshaling previous tailscaled config: %w", err)
-		}
-		conf.AuthKey = origConf.AuthKey
-	}
-	confFileBytes, err := json.Marshal(conf)
-	if err != nil {
-		return nil, "", fmt.Errorf("error marshaling tailscaled config : %w", err)
-	}
-	hash, err := hashBytes(confFileBytes)
-	if err != nil {
-		return nil, "", fmt.Errorf("error calculating config hash: %w", err)
-	}
-	return confFileBytes, hash, nil
-}
-
 // ptrObject is a type constraint for pointer types that implement
 // client.Object.
 type ptrObject[T any] interface {
@@ -555,24 +531,6 @@ type ptrObject[T any] interface {
 	*T
 }

-// hashBytes produces a hash for the provided bytes that is the same across
-// different invocations of this code. We do not use the
-// tailscale.com/deephash.Hash here because that produces a different hash for
-// the same value in different tailscale builds. The hash we are producing here
-// is used to determine if the container running the Connector Tailscale node
-// needs to be restarted. The container does not need restarting when the only
-// thing that changed is operator version (the hash is also exposed to users via
-// an annotation and might be confusing if it changes without the config having
-// changed).
-func hashBytes(b []byte) (string, error) {
-	h := sha256.New()
-	_, err := h.Write(b)
-	if err != nil {
-		return "", fmt.Errorf("error calculating hash: %w", err)
-	}
-	return fmt.Sprintf("%x", h.Sum(nil)), nil
-}
-
 // createOrUpdate adds obj to the k8s cluster, unless the object already exists,
 // in which case update is called to make changes to it. If update is nil, the
 // existing object is returned unmodified.
@@ -676,10 +634,3 @@ func nameForService(svc *corev1.Service) (string, error) {
 func isValidFirewallMode(m string) bool {
 	return m == "auto" || m == "nftables" || m == "iptables"
 }
-
-// shouldDoTailscaledDeclarativeConfig determines whether the proxy instance
-// should be configured to run tailscaled only with a all config opts passed to
-// tailscaled.
-func shouldDoTailscaledDeclarativeConfig(stsC *tailscaleSTSConfig) bool {
-	return stsC.Connector != nil
-}
--- a/cmd/k8s-operator/testutils_test.go
+++ b/cmd/k8s-operator/testutils_test.go
@@ -1,411 +0,0 @@
-// Copyright (c) Tailscale Inc & AUTHORS
-// SPDX-License-Identifier: BSD-3-Clause
-
-//go:build !plan9
-
-package main
-
-import (
-	"context"
-	"encoding/json"
-	"net/netip"
-	"strings"
-	"sync"
-	"testing"
-	"time"
-
-	"github.com/google/go-cmp/cmp"
-	appsv1 "k8s.io/api/apps/v1"
-	corev1 "k8s.io/api/core/v1"
-	apierrors "k8s.io/apimachinery/pkg/api/errors"
-	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-	"k8s.io/apimachinery/pkg/types"
-	"sigs.k8s.io/controller-runtime/pkg/client"
-	"sigs.k8s.io/controller-runtime/pkg/reconcile"
-	"tailscale.com/client/tailscale"
-	"tailscale.com/ipn"
-	"tailscale.com/types/ptr"
-	"tailscale.com/util/mak"
-)
-
-// confgOpts contains configuration options for creating cluster resources for
-// Tailscale proxies.
-type configOpts struct {
-	stsName                    string
-	secretName                 string
-	hostname                   string
-	namespace                  string
-	parentType                 string
-	priorityClassName          string
-	firewallMode               string
-	tailnetTargetIP            string
-	tailnetTargetFQDN          string
-	clusterTargetIP            string
-	subnetRoutes               string
-	isExitNode                 bool
-	shouldUseDeclarativeConfig bool // tailscaled in proxy should be configured using config file
-	confFileHash               string
-}
-
-func expectedSTS(opts configOpts) *appsv1.StatefulSet {
-	tsContainer := corev1.Container{
-		Name:  "tailscale",
-		Image: "tailscale/tailscale",
-		Env: []corev1.EnvVar{
-			{Name: "TS_USERSPACE", Value: "false"},
-			{Name: "TS_AUTH_ONCE", Value: "true"},
-			{Name: "TS_KUBE_SECRET", Value: opts.secretName},
-		},
-		SecurityContext: &corev1.SecurityContext{
-			Capabilities: &corev1.Capabilities{
-				Add: []corev1.Capability{"NET_ADMIN"},
-			},
-		},
-		ImagePullPolicy: "Always",
-	}
-	annots := make(map[string]string)
-	var volumes []corev1.Volume
-	if opts.shouldUseDeclarativeConfig {
-		volumes = []corev1.Volume{
-			{
-				Name: "tailscaledconfig",
-				VolumeSource: corev1.VolumeSource{
-					Secret: &corev1.SecretVolumeSource{
-						SecretName: opts.secretName,
-						Items: []corev1.KeyToPath{
-							{
-								Key:  "tailscaled",
-								Path: "tailscaled",
-							},
-						},
-					},
-				},
-			},
-		}
-		tsContainer.VolumeMounts = []corev1.VolumeMount{{
-			Name:      "tailscaledconfig",
-			ReadOnly:  true,
-			MountPath: "/etc/tsconfig",
-		}}
-		tsContainer.Env = append(tsContainer.Env, corev1.EnvVar{
-			Name:  "EXPERIMENTAL_TS_CONFIGFILE_PATH",
-			Value: "/etc/tsconfig/tailscaled",
-		})
-		annots["tailscale.com/operator-last-set-config-file-hash"] = opts.confFileHash
-	} else {
-		tsContainer.Env = append(tsContainer.Env, corev1.EnvVar{Name: "TS_HOSTNAME", Value: opts.hostname})
-		annots["tailscale.com/operator-last-set-hostname"] = opts.hostname
-	}
-	if opts.firewallMode != "" {
-		tsContainer.Env = append(tsContainer.Env, corev1.EnvVar{
-			Name:  "TS_DEBUG_FIREWALL_MODE",
-			Value: opts.firewallMode,
-		})
-	}
-	if opts.tailnetTargetIP != "" {
-		annots["tailscale.com/operator-last-set-ts-tailnet-target-ip"] = opts.tailnetTargetIP
-		tsContainer.Env = append(tsContainer.Env, corev1.EnvVar{
-			Name:  "TS_TAILNET_TARGET_IP",
-			Value: opts.tailnetTargetIP,
-		})
-	} else if opts.tailnetTargetFQDN != "" {
-		annots["tailscale.com/operator-last-set-ts-tailnet-target-fqdn"] = opts.tailnetTargetFQDN
-		tsContainer.Env = append(tsContainer.Env, corev1.EnvVar{
-			Name:  "TS_TAILNET_TARGET_FQDN",
-			Value: opts.tailnetTargetFQDN,
-		})
-
-	} else if opts.clusterTargetIP != "" {
-		tsContainer.Env = append(tsContainer.Env, corev1.EnvVar{
-			Name:  "TS_DEST_IP",
-			Value: opts.clusterTargetIP,
-		})
-		annots["tailscale.com/operator-last-set-cluster-ip"] = opts.clusterTargetIP
-	}
-	return &appsv1.StatefulSet{
-		TypeMeta: metav1.TypeMeta{
-			Kind:       "StatefulSet",
-			APIVersion: "apps/v1",
-		},
-		ObjectMeta: metav1.ObjectMeta{
-			Name:      opts.stsName,
-			Namespace: "operator-ns",
-			Labels: map[string]string{
-				"tailscale.com/managed":              "true",
-				"tailscale.com/parent-resource":      "test",
-				"tailscale.com/parent-resource-ns":   opts.namespace,
-				"tailscale.com/parent-resource-type": opts.parentType,
-			},
-		},
-		Spec: appsv1.StatefulSetSpec{
-			Replicas: ptr.To[int32](1),
-			Selector: &metav1.LabelSelector{
-				MatchLabels: map[string]string{"app": "1234-UID"},
-			},
-			ServiceName: opts.stsName,
-			Template: corev1.PodTemplateSpec{
-				ObjectMeta: metav1.ObjectMeta{
-					Annotations:                annots,
-					DeletionGracePeriodSeconds: ptr.To[int64](10),
-					Labels:                     map[string]string{"app": "1234-UID"},
-				},
-				Spec: corev1.PodSpec{
-					ServiceAccountName: "proxies",
-					PriorityClassName:  opts.priorityClassName,
-					InitContainers: []corev1.Container{
-						{
-							Name:    "sysctler",
-							Image:   "tailscale/tailscale",
-							Command: []string{"/bin/sh"},
-							Args:    []string{"-c", "sysctl -w net.ipv4.ip_forward=1 net.ipv6.conf.all.forwarding=1"},
-							SecurityContext: &corev1.SecurityContext{
-								Privileged: ptr.To(true),
-							},
-						},
-					},
-					Containers: []corev1.Container{tsContainer},
-					Volumes:    volumes,
-				},
-			},
-		},
-	}
-}
-
-func expectedHeadlessService(name string) *corev1.Service {
-	return &corev1.Service{
-		TypeMeta: metav1.TypeMeta{
-			Kind:       "Service",
-			APIVersion: "v1",
-		},
-		ObjectMeta: metav1.ObjectMeta{
-			Name:         name,
-			GenerateName: "ts-test-",
-			Namespace:    "operator-ns",
-			Labels: map[string]string{
-				"tailscale.com/managed":              "true",
-				"tailscale.com/parent-resource":      "test",
-				"tailscale.com/parent-resource-ns":   "default",
-				"tailscale.com/parent-resource-type": "svc",
-			},
-		},
-		Spec: corev1.ServiceSpec{
-			Selector: map[string]string{
-				"app": "1234-UID",
-			},
-			ClusterIP: "None",
-		},
-	}
-}
-
-func expectedSecret(t *testing.T, opts configOpts) *corev1.Secret {
-	t.Helper()
-	labels := map[string]string{
-		"tailscale.com/managed":              "true",
-		"tailscale.com/parent-resource":      "test",
-		"tailscale.com/parent-resource-type": opts.parentType,
-	}
-	s := &corev1.Secret{
-		TypeMeta: metav1.TypeMeta{
-			Kind:       "Secret",
-			APIVersion: "v1",
-		},
-		ObjectMeta: metav1.ObjectMeta{
-			Name:      opts.secretName,
-			Namespace: "operator-ns",
-		},
-	}
-	if !opts.shouldUseDeclarativeConfig {
-		mak.Set(&s.StringData, "authkey", "secret-authkey")
-		labels["tailscale.com/parent-resource-ns"] = opts.namespace
-	} else {
-		conf := &ipn.ConfigVAlpha{
-			Version:   "alpha0",
-			AcceptDNS: "false",
-			Hostname:  &opts.hostname,
-			Locked:    "false",
-			AuthKey:   ptr.To("secret-authkey"),
-		}
-		var routes []netip.Prefix
-		if opts.subnetRoutes != "" || opts.isExitNode {
-			r := opts.subnetRoutes
-			if opts.isExitNode {
-				r = "0.0.0.0/0,::/0," + r
-			}
-			for _, rr := range strings.Split(r, ",") {
-				prefix, err := netip.ParsePrefix(rr)
-				if err != nil {
-					t.Fatal(err)
-				}
-				routes = append(routes, prefix)
-			}
-		}
-		conf.AdvertiseRoutes = routes
-		b, err := json.Marshal(conf)
-		if err != nil {
-			t.Fatalf("error marshalling tailscaled config")
-		}
-		mak.Set(&s.StringData, "tailscaled", string(b))
-		labels["tailscale.com/parent-resource-ns"] = "" // Connector is cluster scoped
-	}
-	s.Labels = labels
-	return s
-}
-
-func findGenName(t *testing.T, client client.Client, ns, name, typ string) (full, noSuffix string) {
-	t.Helper()
-	labels := map[string]string{
-		LabelManaged:         "true",
-		LabelParentName:      name,
-		LabelParentNamespace: ns,
-		LabelParentType:      typ,
-	}
-	s, err := getSingleObject[corev1.Secret](context.Background(), client, "operator-ns", labels)
-	if err != nil {
-		t.Fatalf("finding secret for %q: %v", name, err)
-	}
-	if s == nil {
-		t.Fatalf("no secret found for %q %s %+#v", name, ns, labels)
-	}
-	return s.GetName(), strings.TrimSuffix(s.GetName(), "-0")
-}
-
-func mustCreate(t *testing.T, client client.Client, obj client.Object) {
-	t.Helper()
-	if err := client.Create(context.Background(), obj); err != nil {
-		t.Fatalf("creating %q: %v", obj.GetName(), err)
-	}
-}
-
-func mustUpdate[T any, O ptrObject[T]](t *testing.T, client client.Client, ns, name string, update func(O)) {
-	t.Helper()
-	obj := O(new(T))
-	if err := client.Get(context.Background(), types.NamespacedName{
-		Name:      name,
-		Namespace: ns,
-	}, obj); err != nil {
-		t.Fatalf("getting %q: %v", name, err)
-	}
-	update(obj)
-	if err := client.Update(context.Background(), obj); err != nil {
-		t.Fatalf("updating %q: %v", name, err)
-	}
-}
-
-func mustUpdateStatus[T any, O ptrObject[T]](t *testing.T, client client.Client, ns, name string, update func(O)) {
-	t.Helper()
-	obj := O(new(T))
-	if err := client.Get(context.Background(), types.NamespacedName{
-		Name:      name,
-		Namespace: ns,
-	}, obj); err != nil {
-		t.Fatalf("getting %q: %v", name, err)
-	}
-	update(obj)
-	if err := client.Status().Update(context.Background(), obj); err != nil {
-		t.Fatalf("updating %q: %v", name, err)
-	}
-}
-
-func expectEqual[T any, O ptrObject[T]](t *testing.T, client client.Client, want O) {
-	t.Helper()
-	got := O(new(T))
-	if err := client.Get(context.Background(), types.NamespacedName{
-		Name:      want.GetName(),
-		Namespace: want.GetNamespace(),
-	}, got); err != nil {
-		t.Fatalf("getting %q: %v", want.GetName(), err)
-	}
-	// The resource version changes eagerly whenever the operator does even a
-	// no-op update. Asserting a specific value leads to overly brittle tests,
-	// so just remove it from both got and want.
-	got.SetResourceVersion("")
-	want.SetResourceVersion("")
-	if diff := cmp.Diff(got, want); diff != "" {
-		t.Fatalf("unexpected object (-got +want):\n%s", diff)
-	}
-}
-
-func expectMissing[T any, O ptrObject[T]](t *testing.T, client client.Client, ns, name string) {
-	t.Helper()
-	obj := O(new(T))
-	if err := client.Get(context.Background(), types.NamespacedName{
-		Name:      name,
-		Namespace: ns,
-	}, obj); !apierrors.IsNotFound(err) {
-		t.Fatalf("object %s/%s unexpectedly present, wanted missing", ns, name)
-	}
-}
-
-func expectReconciled(t *testing.T, sr reconcile.Reconciler, ns, name string) {
-	t.Helper()
-	req := reconcile.Request{
-		NamespacedName: types.NamespacedName{
-			Namespace: ns,
-			Name:      name,
-		},
-	}
-	res, err := sr.Reconcile(context.Background(), req)
-	if err != nil {
-		t.Fatalf("Reconcile: unexpected error: %v", err)
-	}
-	if res.Requeue {
-		t.Fatalf("unexpected immediate requeue")
-	}
-	if res.RequeueAfter != 0 {
-		t.Fatalf("unexpected timed requeue (%v)", res.RequeueAfter)
-	}
-}
-
-func expectRequeue(t *testing.T, sr reconcile.Reconciler, ns, name string) {
-	t.Helper()
-	req := reconcile.Request{
-		NamespacedName: types.NamespacedName{
-			Name:      name,
-			Namespace: ns,
-		},
-	}
-	res, err := sr.Reconcile(context.Background(), req)
-	if err != nil {
-		t.Fatalf("Reconcile: unexpected error: %v", err)
-	}
-	if res.RequeueAfter == 0 {
-		t.Fatalf("expected timed requeue, got success")
-	}
-}
-
-type fakeTSClient struct {
-	sync.Mutex
-	keyRequests []tailscale.KeyCapabilities
-	deleted     []string
-}
-
-func (c *fakeTSClient) CreateKey(ctx context.Context, caps tailscale.KeyCapabilities) (string, *tailscale.Key, error) {
-	c.Lock()
-	defer c.Unlock()
-	c.keyRequests = append(c.keyRequests, caps)
-	k := &tailscale.Key{
-		ID:           "key",
-		Created:      time.Now(),
-		Capabilities: caps,
-	}
-	return "secret-authkey", k, nil
-}
-
-func (c *fakeTSClient) DeleteDevice(ctx context.Context, deviceID string) error {
-	c.Lock()
-	defer c.Unlock()
-	c.deleted = append(c.deleted, deviceID)
-	return nil
-}
-
-func (c *fakeTSClient) KeyRequests() []tailscale.KeyCapabilities {
-	c.Lock()
-	defer c.Unlock()
-	return c.keyRequests
-}
-
-func (c *fakeTSClient) Deleted() []string {
-	c.Lock()
-	defer c.Unlock()
-	return c.deleted
-}
--- a/cmd/stund/depaware.txt
+++ b/cmd/stund/depaware.txt
@@ -1,190 +0,0 @@
-tailscale.com/cmd/stund dependencies: (generated by github.com/tailscale/depaware)
-
-        github.com/beorn7/perks/quantile                             from github.com/prometheus/client_golang/prometheus
-     💣 github.com/cespare/xxhash/v2                                 from github.com/prometheus/client_golang/prometheus
-        github.com/golang/protobuf/proto                             from github.com/matttproud/golang_protobuf_extensions/pbutil
-        github.com/google/uuid                                       from tailscale.com/tsweb
-        github.com/matttproud/golang_protobuf_extensions/pbutil      from github.com/prometheus/common/expfmt
-     💣 github.com/prometheus/client_golang/prometheus               from tailscale.com/tsweb/promvarz
-        github.com/prometheus/client_golang/prometheus/internal      from github.com/prometheus/client_golang/prometheus
-        github.com/prometheus/client_model/go                        from github.com/prometheus/client_golang/prometheus+
-        github.com/prometheus/common/expfmt                          from github.com/prometheus/client_golang/prometheus+
-        github.com/prometheus/common/internal/bitbucket.org/ww/goautoneg from github.com/prometheus/common/expfmt
-        github.com/prometheus/common/model                           from github.com/prometheus/client_golang/prometheus+
-  LD    github.com/prometheus/procfs                                 from github.com/prometheus/client_golang/prometheus
-  LD    github.com/prometheus/procfs/internal/fs                     from github.com/prometheus/procfs
-  LD    github.com/prometheus/procfs/internal/util                   from github.com/prometheus/procfs
-     💣 go4.org/mem                                                  from tailscale.com/metrics+
-        go4.org/netipx                                               from tailscale.com/net/tsaddr
-        google.golang.org/protobuf/encoding/prototext                from github.com/golang/protobuf/proto+
-        google.golang.org/protobuf/encoding/protowire                from github.com/golang/protobuf/proto+
-        google.golang.org/protobuf/internal/descfmt                  from google.golang.org/protobuf/internal/filedesc
-        google.golang.org/protobuf/internal/descopts                 from google.golang.org/protobuf/internal/filedesc+
-        google.golang.org/protobuf/internal/detrand                  from google.golang.org/protobuf/internal/descfmt+
-        google.golang.org/protobuf/internal/encoding/defval          from google.golang.org/protobuf/internal/encoding/tag+
-        google.golang.org/protobuf/internal/encoding/messageset      from google.golang.org/protobuf/encoding/prototext+
-        google.golang.org/protobuf/internal/encoding/tag             from google.golang.org/protobuf/internal/impl
-        google.golang.org/protobuf/internal/encoding/text            from google.golang.org/protobuf/encoding/prototext+
-        google.golang.org/protobuf/internal/errors                   from google.golang.org/protobuf/encoding/prototext+
-        google.golang.org/protobuf/internal/filedesc                 from google.golang.org/protobuf/internal/encoding/tag+
-        google.golang.org/protobuf/internal/filetype                 from google.golang.org/protobuf/runtime/protoimpl
-        google.golang.org/protobuf/internal/flags                    from google.golang.org/protobuf/encoding/prototext+
-        google.golang.org/protobuf/internal/genid                    from google.golang.org/protobuf/encoding/prototext+
-     💣 google.golang.org/protobuf/internal/impl                     from google.golang.org/protobuf/internal/filetype+
-        google.golang.org/protobuf/internal/order                    from google.golang.org/protobuf/encoding/prototext+
-        google.golang.org/protobuf/internal/pragma                   from google.golang.org/protobuf/encoding/prototext+
-        google.golang.org/protobuf/internal/set                      from google.golang.org/protobuf/encoding/prototext
-     💣 google.golang.org/protobuf/internal/strs                     from google.golang.org/protobuf/encoding/prototext+
-        google.golang.org/protobuf/internal/version                  from google.golang.org/protobuf/runtime/protoimpl
-        google.golang.org/protobuf/proto                             from github.com/golang/protobuf/proto+
-        google.golang.org/protobuf/reflect/protodesc                 from github.com/golang/protobuf/proto
-     💣 google.golang.org/protobuf/reflect/protoreflect              from github.com/golang/protobuf/proto+
-        google.golang.org/protobuf/reflect/protoregistry             from github.com/golang/protobuf/proto+
-        google.golang.org/protobuf/runtime/protoiface                from github.com/golang/protobuf/proto+
-        google.golang.org/protobuf/runtime/protoimpl                 from github.com/golang/protobuf/proto+
-        google.golang.org/protobuf/types/descriptorpb                from google.golang.org/protobuf/reflect/protodesc
-        google.golang.org/protobuf/types/known/timestamppb           from github.com/prometheus/client_golang/prometheus+
-        tailscale.com                                                from tailscale.com/version
-        tailscale.com/envknob                                        from tailscale.com/tsweb+
-        tailscale.com/metrics                                        from tailscale.com/net/stunserver+
-        tailscale.com/net/netaddr                                    from tailscale.com/net/tsaddr
-        tailscale.com/net/stun                                       from tailscale.com/net/stunserver
-        tailscale.com/net/stunserver                                 from tailscale.com/cmd/stund
-        tailscale.com/net/tsaddr                                     from tailscale.com/tsweb
-        tailscale.com/tailcfg                                        from tailscale.com/version
-        tailscale.com/tsweb                                          from tailscale.com/cmd/stund
-        tailscale.com/tsweb/promvarz                                 from tailscale.com/tsweb
-        tailscale.com/tsweb/varz                                     from tailscale.com/tsweb+
-        tailscale.com/types/dnstype                                  from tailscale.com/tailcfg
-        tailscale.com/types/ipproto                                  from tailscale.com/tailcfg
-        tailscale.com/types/key                                      from tailscale.com/tailcfg
-        tailscale.com/types/lazy                                     from tailscale.com/version+
-        tailscale.com/types/logger                                   from tailscale.com/tsweb
-        tailscale.com/types/opt                                      from tailscale.com/envknob+
-        tailscale.com/types/ptr                                      from tailscale.com/tailcfg
-        tailscale.com/types/structs                                  from tailscale.com/tailcfg+
-        tailscale.com/types/tkatype                                  from tailscale.com/tailcfg+
-        tailscale.com/types/views                                    from tailscale.com/net/tsaddr+
-        tailscale.com/util/cmpx                                      from tailscale.com/tailcfg+
-   L 💣 tailscale.com/util/dirwalk                                   from tailscale.com/metrics
-        tailscale.com/util/dnsname                                   from tailscale.com/tailcfg
-        tailscale.com/util/lineread                                  from tailscale.com/version/distro
-        tailscale.com/util/nocasemaps                                from tailscale.com/types/ipproto
-        tailscale.com/util/slicesx                                   from tailscale.com/tailcfg
-        tailscale.com/util/vizerror                                  from tailscale.com/tailcfg+
-        tailscale.com/version                                        from tailscale.com/envknob+
-        tailscale.com/version/distro                                 from tailscale.com/envknob
-        golang.org/x/crypto/blake2b                                  from golang.org/x/crypto/nacl/box
-        golang.org/x/crypto/chacha20                                 from golang.org/x/crypto/chacha20poly1305
-        golang.org/x/crypto/chacha20poly1305                         from crypto/tls
-        golang.org/x/crypto/cryptobyte                               from crypto/ecdsa+
-        golang.org/x/crypto/cryptobyte/asn1                          from crypto/ecdsa+
-        golang.org/x/crypto/curve25519                               from golang.org/x/crypto/nacl/box+
-        golang.org/x/crypto/hkdf                                     from crypto/tls
-        golang.org/x/crypto/nacl/box                                 from tailscale.com/types/key
-        golang.org/x/crypto/nacl/secretbox                           from golang.org/x/crypto/nacl/box
-        golang.org/x/crypto/salsa20/salsa                            from golang.org/x/crypto/nacl/box+
-        golang.org/x/net/dns/dnsmessage                              from net
-        golang.org/x/net/http/httpguts                               from net/http
-        golang.org/x/net/http/httpproxy                              from net/http
-        golang.org/x/net/http2/hpack                                 from net/http
-        golang.org/x/net/idna                                        from golang.org/x/net/http/httpguts+
-   D    golang.org/x/net/route                                       from net
-        golang.org/x/sys/cpu                                         from golang.org/x/crypto/blake2b+
-  LD    golang.org/x/sys/unix                                        from github.com/prometheus/procfs+
-   W    golang.org/x/sys/windows                                     from github.com/prometheus/client_golang/prometheus
-        golang.org/x/text/secure/bidirule                            from golang.org/x/net/idna
-        golang.org/x/text/transform                                  from golang.org/x/text/secure/bidirule+
-        golang.org/x/text/unicode/bidi                               from golang.org/x/net/idna+
-        golang.org/x/text/unicode/norm                               from golang.org/x/net/idna
-        bufio                                                        from compress/flate+
-        bytes                                                        from bufio+
-        cmp                                                          from slices
-        compress/flate                                               from compress/gzip
-        compress/gzip                                                from github.com/golang/protobuf/proto+
-        container/list                                               from crypto/tls+
-        context                                                      from crypto/tls+
-        crypto                                                       from crypto/ecdh+
-        crypto/aes                                                   from crypto/ecdsa+
-        crypto/cipher                                                from crypto/aes+
-        crypto/des                                                   from crypto/tls+
-        crypto/dsa                                                   from crypto/x509
-        crypto/ecdh                                                  from crypto/ecdsa+
-        crypto/ecdsa                                                 from crypto/tls+
-        crypto/ed25519                                               from crypto/tls+
-        crypto/elliptic                                              from crypto/ecdsa+
-        crypto/hmac                                                  from crypto/tls+
-        crypto/md5                                                   from crypto/tls+
-        crypto/rand                                                  from crypto/ed25519+
-        crypto/rc4                                                   from crypto/tls
-        crypto/rsa                                                   from crypto/tls+
-        crypto/sha1                                                  from crypto/tls+
-        crypto/sha256                                                from crypto/tls+
-        crypto/sha512                                                from crypto/ecdsa+
-        crypto/subtle                                                from crypto/aes+
-        crypto/tls                                                   from net/http+
-        crypto/x509                                                  from crypto/tls
-        crypto/x509/pkix                                             from crypto/x509
-        database/sql/driver                                          from github.com/google/uuid
-        embed                                                        from crypto/internal/nistec+
-        encoding                                                     from encoding/json+
-        encoding/asn1                                                from crypto/x509+
-        encoding/base64                                              from encoding/json+
-        encoding/binary                                              from compress/gzip+
-        encoding/hex                                                 from crypto/x509+
-        encoding/json                                                from expvar+
-        encoding/pem                                                 from crypto/tls+
-        errors                                                       from bufio+
-        expvar                                                       from github.com/prometheus/client_golang/prometheus+
-        flag                                                         from tailscale.com/cmd/stund
-        fmt                                                          from compress/flate+
-        go/token                                                     from google.golang.org/protobuf/internal/strs
-        hash                                                         from crypto+
-        hash/crc32                                                   from compress/gzip+
-        hash/fnv                                                     from google.golang.org/protobuf/internal/detrand
-        hash/maphash                                                 from go4.org/mem
-        html                                                         from net/http/pprof+
-        io                                                           from bufio+
-        io/fs                                                        from crypto/x509+
-        io/ioutil                                                    from github.com/golang/protobuf/proto+
-        log                                                          from expvar+
-        log/internal                                                 from log
-        maps                                                         from tailscale.com/tailcfg+
-        math                                                         from compress/flate+
-        math/big                                                     from crypto/dsa+
-        math/bits                                                    from compress/flate+
-        math/rand                                                    from math/big+
-        mime                                                         from github.com/prometheus/common/expfmt+
-        mime/multipart                                               from net/http
-        mime/quotedprintable                                         from mime/multipart
-        net                                                          from crypto/tls+
-        net/http                                                     from expvar+
-        net/http/httptrace                                           from net/http
-        net/http/internal                                            from net/http
-        net/http/pprof                                               from tailscale.com/tsweb+
-        net/netip                                                    from go4.org/netipx+
-        net/textproto                                                from golang.org/x/net/http/httpguts+
-        net/url                                                      from crypto/x509+
-        os                                                           from crypto/rand+
-        os/signal                                                    from tailscale.com/cmd/stund
-        path                                                         from github.com/prometheus/client_golang/prometheus/internal+
-        path/filepath                                                from crypto/x509+
-        reflect                                                      from crypto/x509+
-        regexp                                                       from github.com/prometheus/client_golang/prometheus/internal+
-        regexp/syntax                                                from regexp
-        runtime/debug                                                from github.com/prometheus/client_golang/prometheus+
-        runtime/metrics                                              from github.com/prometheus/client_golang/prometheus+
-        runtime/pprof                                                from net/http/pprof
-        runtime/trace                                                from net/http/pprof
-        slices                                                       from tailscale.com/metrics+
-        sort                                                         from compress/flate+
-        strconv                                                      from compress/flate+
-        strings                                                      from bufio+
-        sync                                                         from compress/flate+
-        sync/atomic                                                  from context+
-        syscall                                                      from crypto/rand+
-        text/tabwriter                                               from runtime/pprof
-        time                                                         from compress/gzip+
-        unicode                                                      from bytes+
-        unicode/utf16                                                from crypto/x509+
-        unicode/utf8                                                 from bufio+
--- a/cmd/stund/stund.go
+++ b/cmd/stund/stund.go
@@ -1,48 +0,0 @@
-// Copyright (c) Tailscale Inc & AUTHORS
-// SPDX-License-Identifier: BSD-3-Clause
-
-// The stund binary is a standalone STUN server.
-package main
-
-import (
-	"context"
-	"flag"
-	"io"
-	"log"
-	"net/http"
-	"os/signal"
-	"syscall"
-
-	"tailscale.com/net/stunserver"
-	"tailscale.com/tsweb"
-)
-
-var (
-	stunAddr = flag.String("stun", ":3478", "UDP address on which to start the STUN server")
-	httpAddr = flag.String("http", ":3479", "address on which to start the debug http server")
-)
-
-func main() {
-	flag.Parse()
-
-	ctx, cancel := signal.NotifyContext(context.Background(), syscall.SIGINT, syscall.SIGTERM)
-	defer cancel()
-
-	log.Printf("HTTP server listening on %s", *httpAddr)
-	go http.ListenAndServe(*httpAddr, mux())
-
-	s := stunserver.New(ctx)
-	if err := s.ListenAndServe(*stunAddr); err != nil {
-		log.Fatal(err)
-	}
-}
-
-func mux() *http.ServeMux {
-	mux := http.NewServeMux()
-	mux.HandleFunc("/", func(w http.ResponseWriter, r *http.Request) {
-		io.WriteString(w, "<h1>stund</h1><a href=/debug>/debug</a>")
-	})
-	debug := tsweb.Debugger(mux)
-	debug.KV("stun_addr", *stunAddr)
-	return mux
-}
--- a/cmd/tailscale/cli/cli_test.go
+++ b/cmd/tailscale/cli/cli_test.go
@@ -718,24 +718,6 @@ func TestPrefsFromUpArgs(t *testing.T) {
 				},
 			},
 		},
-		{
-			name: "via_route_good_16_bit",
-			goos: "linux",
-			args: upArgsT{
-				advertiseRoutes: "fd7a:115c:a1e0:b1a::aabb:10.0.0.0/112",
-				netfilterMode:   "off",
-			},
-			want: &ipn.Prefs{
-				WantRunning: true,
-				NoSNAT:      true,
-				AdvertiseRoutes: []netip.Prefix{
-					netip.MustParsePrefix("fd7a:115c:a1e0:b1a::aabb:10.0.0.0/112"),
-				},
-				AutoUpdate: ipn.AutoUpdatePrefs{
-					Check: true,
-				},
-			},
-		},
 		{
 			name: "via_route_short_prefix",
 			goos: "linux",
@@ -752,7 +734,7 @@ func TestPrefsFromUpArgs(t *testing.T) {
 				advertiseRoutes: "fd7a:115c:a1e0:b1a:1234:5678::/112",
 				netfilterMode:   "off",
 			},
-			wantErr: "route fd7a:115c:a1e0:b1a:1234:5678::/112 contains invalid site ID 12345678; must be 0xffff or less",
+			wantErr: "route fd7a:115c:a1e0:b1a:1234:5678::/112 contains invalid site ID 12345678; must be 0xff or less",
 		},
 	}
 	for _, tt := range tests {
--- a/cmd/tailscale/cli/debug.go
+++ b/cmd/tailscale/cli/debug.go
@@ -274,16 +274,6 @@ var debugCmd = &ffcli.Command{
 			Exec:      runPeerEndpointChanges,
 			ShortHelp: "prints debug information about a peer's endpoint changes",
 		},
-		{
-			Name:      "dial-types",
-			Exec:      runDebugDialTypes,
-			ShortHelp: "prints debug information about connecting to a given host or IP",
-			FlagSet: (func() *flag.FlagSet {
-				fs := newFlagSet("dial-types")
-				fs.StringVar(&debugDialTypesArgs.network, "network", "tcp", `network type to dial ("tcp", "udp", etc.)`)
-				return fs
-			})(),
-		},
 	},
 }

@@ -693,8 +683,8 @@ func runVia(ctx context.Context, args []string) error {
 		if err != nil {
 			return fmt.Errorf("invalid site-id %q; must be decimal or hex with 0x prefix", args[0])
 		}
-		if siteID > 0xffff {
-			return fmt.Errorf("site-id values over 65535 are currently reserved")
+		if siteID > 0xff {
+			return fmt.Errorf("site-id values over 255 are currently reserved")
 		}
 		ipp, err := netip.ParsePrefix(args[1])
 		if err != nil {
@@ -1025,61 +1015,3 @@ func debugControlKnobs(ctx context.Context, args []string) error {
 	e.Encode(v)
 	return nil
 }
-
-var debugDialTypesArgs struct {
-	network string
-}
-
-func runDebugDialTypes(ctx context.Context, args []string) error {
-	st, err := localClient.Status(ctx)
-	if err != nil {
-		return fixTailscaledConnectError(err)
-	}
-	description, ok := isRunningOrStarting(st)
-	if !ok {
-		printf("%s\n", description)
-		os.Exit(1)
-	}
-
-	if len(args) != 2 || args[0] == "" || args[1] == "" {
-		return errors.New("usage: dial-types <hostname-or-IP> <port>")
-	}
-
-	port, err := strconv.ParseUint(args[1], 10, 16)
-	if err != nil {
-		return fmt.Errorf("invalid port %q: %w", args[1], err)
-	}
-
-	hostOrIP := args[0]
-	ip, _, err := tailscaleIPFromArg(ctx, hostOrIP)
-	if err != nil {
-		return err
-	}
-	if ip != hostOrIP {
-		log.Printf("lookup %q => %q", hostOrIP, ip)
-	}
-
-	qparams := make(url.Values)
-	qparams.Set("ip", ip)
-	qparams.Set("port", strconv.FormatUint(port, 10))
-	qparams.Set("network", debugDialTypesArgs.network)
-
-	req, err := http.NewRequestWithContext(ctx, "POST", "http://local-tailscaled.sock/localapi/v0/debug-dial-types?"+qparams.Encode(), nil)
-	if err != nil {
-		return err
-	}
-
-	resp, err := localClient.DoLocalRequest(req)
-	if err != nil {
-		return err
-	}
-	defer resp.Body.Close()
-
-	body, err := io.ReadAll(resp.Body)
-	if err != nil {
-		return err
-	}
-
-	fmt.Printf("%s", body)
-	return nil
-}
--- a/cmd/tailscale/cli/set.go
+++ b/cmd/tailscale/cli/set.go
@@ -12,7 +12,6 @@ import (
 	"os/exec"

 	"github.com/peterbourgon/ff/v3/ffcli"
-	"tailscale.com/client/web"
 	"tailscale.com/clientupdate"
 	"tailscale.com/ipn"
 	"tailscale.com/net/netutil"
@@ -194,15 +193,7 @@ func runSet(ctx context.Context, args []string) (retErr error) {
 	}

 	_, err = localClient.EditPrefs(ctx, maskedPrefs)
-	if err != nil {
-		return err
-	}
-
-	if setArgs.runWebClient && len(st.TailscaleIPs) > 0 {
-		printf("\nWeb interface now running at %s:%d", st.TailscaleIPs[0], web.ListenPort)
-	}
-
-	return nil
+	return err
 }

 // calcAdvertiseRoutesForSet returns the new value for Prefs.AdvertiseRoutes based on the
--- a/cmd/tailscale/depaware.txt
+++ b/cmd/tailscale/depaware.txt
@@ -19,7 +19,8 @@ tailscale.com/cmd/tailscale dependencies: (generated by github.com/tailscale/dep
   L    github.com/google/nftables/internal/parseexprfunc            from github.com/google/nftables+
   L    github.com/google/nftables/xt                                from github.com/google/nftables/expr+
        github.com/google/uuid                                       from tailscale.com/util/quarantine+
-        github.com/gorilla/securecookie                              from github.com/tailscale/csrf
+        github.com/gorilla/csrf                                      from tailscale.com/client/web
+        github.com/gorilla/securecookie                              from github.com/gorilla/csrf
        github.com/hdevalence/ed25519consensus                       from tailscale.com/tka+
   L    github.com/josharian/native                                  from github.com/mdlayher/netlink+
   L 💣 github.com/jsimonetti/rtnetlink                              from tailscale.com/net/interfaces+
@@ -37,10 +38,10 @@ tailscale.com/cmd/tailscale dependencies: (generated by github.com/tailscale/dep
        github.com/peterbourgon/ff/v3                                from github.com/peterbourgon/ff/v3/ffcli
        github.com/peterbourgon/ff/v3/ffcli                          from tailscale.com/cmd/tailscale/cli
        github.com/peterbourgon/ff/v3/internal                       from github.com/peterbourgon/ff/v3
+        github.com/pkg/errors                                        from github.com/gorilla/csrf
        github.com/skip2/go-qrcode                                   from tailscale.com/cmd/tailscale/cli
        github.com/skip2/go-qrcode/bitset                            from github.com/skip2/go-qrcode+
        github.com/skip2/go-qrcode/reedsolomon                       from github.com/skip2/go-qrcode
-        github.com/tailscale/csrf                                    from tailscale.com/client/web
   W 💣 github.com/tailscale/go-winio                                from tailscale.com/safesocket
   W 💣 github.com/tailscale/go-winio/internal/fs                    from github.com/tailscale/go-winio
   W 💣 github.com/tailscale/go-winio/internal/socket                from github.com/tailscale/go-winio
@@ -156,7 +157,6 @@ tailscale.com/cmd/tailscale dependencies: (generated by github.com/tailscale/dep
        tailscale.com/util/set                                       from tailscale.com/health+
        tailscale.com/util/singleflight                              from tailscale.com/net/dnscache+
        tailscale.com/util/slicesx                                   from tailscale.com/net/dnscache+
-        tailscale.com/util/syspolicy                                 from tailscale.com/ipn
        tailscale.com/util/testenv                                   from tailscale.com/cmd/tailscale/cli
        tailscale.com/util/truncate                                  from tailscale.com/cmd/tailscale/cli
        tailscale.com/util/vizerror                                  from tailscale.com/types/ipproto+
@@ -259,7 +259,8 @@ tailscale.com/cmd/tailscale dependencies: (generated by github.com/tailscale/dep
        hash/adler32                                                 from compress/zlib
        hash/crc32                                                   from compress/gzip+
        hash/maphash                                                 from go4.org/mem
-        html                                                         from tailscale.com/ipn/ipnstate
+        html                                                         from tailscale.com/ipn/ipnstate+
+        html/template                                                from github.com/gorilla/csrf
        image                                                        from github.com/skip2/go-qrcode+
        image/color                                                  from github.com/skip2/go-qrcode+
        image/png                                                    from github.com/skip2/go-qrcode
@@ -289,13 +290,12 @@ tailscale.com/cmd/tailscale dependencies: (generated by github.com/tailscale/dep
        os/exec                                                      from github.com/toqueteos/webbrowser+
        os/signal                                                    from tailscale.com/cmd/tailscale/cli
        os/user                                                      from tailscale.com/util/groupmember+
-        path                                                         from archive/tar+
+        path                                                         from html/template+
        path/filepath                                                from crypto/x509+
        reflect                                                      from crypto/x509+
        regexp                                                       from github.com/tailscale/goupnp/httpu+
        regexp/syntax                                                from regexp
        runtime/debug                                                from tailscale.com/util/singleflight+
-        runtime/trace                                                from testing
        slices                                                       from tailscale.com/cmd/tailscale/cli+
        sort                                                         from compress/flate+
        strconv                                                      from compress/flate+
@@ -303,8 +303,9 @@ tailscale.com/cmd/tailscale dependencies: (generated by github.com/tailscale/dep
        sync                                                         from compress/flate+
        sync/atomic                                                  from context+
        syscall                                                      from crypto/rand+
-        testing                                                      from tailscale.com/util/syspolicy
        text/tabwriter                                               from github.com/peterbourgon/ff/v3/ffcli+
+        text/template                                                from html/template
+        text/template/parse                                          from html/template+
        time                                                         from compress/gzip+
        unicode                                                      from bytes+
        unicode/utf16                                                from encoding/asn1+
--- a/cmd/tailscaled/depaware.txt
+++ b/cmd/tailscaled/depaware.txt
@@ -95,7 +95,8 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
   L    github.com/google/nftables/internal/parseexprfunc            from github.com/google/nftables+
   L    github.com/google/nftables/xt                                from github.com/google/nftables/expr+
        github.com/google/uuid                                       from tailscale.com/clientupdate
-        github.com/gorilla/securecookie                              from github.com/tailscale/csrf
+        github.com/gorilla/csrf                                      from tailscale.com/client/web
+        github.com/gorilla/securecookie                              from github.com/gorilla/csrf
        github.com/hdevalence/ed25519consensus                       from tailscale.com/tka+
   L 💣 github.com/illarion/gonotify                                 from tailscale.com/net/dns
   L    github.com/insomniacslk/dhcp/dhcpv4                          from tailscale.com/net/tstun
@@ -129,11 +130,11 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
   L    github.com/pierrec/lz4/v4/internal/lz4errors                 from github.com/pierrec/lz4/v4+
   L    github.com/pierrec/lz4/v4/internal/lz4stream                 from github.com/pierrec/lz4/v4
   L    github.com/pierrec/lz4/v4/internal/xxh32                     from github.com/pierrec/lz4/v4/internal/lz4stream
+        github.com/pkg/errors                                        from github.com/gorilla/csrf
  LD    github.com/pkg/sftp                                          from tailscale.com/ssh/tailssh
  LD    github.com/pkg/sftp/internal/encoding/ssh/filexfer           from github.com/pkg/sftp
   L 💣 github.com/safchain/ethtool                                  from tailscale.com/net/netkernelconf
   W 💣 github.com/tailscale/certstore                               from tailscale.com/control/controlclient
-        github.com/tailscale/csrf                                    from tailscale.com/client/web
   W 💣 github.com/tailscale/go-winio                                from tailscale.com/safesocket
   W 💣 github.com/tailscale/go-winio/internal/fs                    from github.com/tailscale/go-winio
   W 💣 github.com/tailscale/go-winio/internal/socket                from github.com/tailscale/go-winio
@@ -493,6 +494,7 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
        hash/fnv                                                     from tailscale.com/wgengine/magicsock+
        hash/maphash                                                 from go4.org/mem
        html                                                         from tailscale.com/ipn/ipnlocal+
+        html/template                                                from github.com/gorilla/csrf
        io                                                           from bufio+
        io/fs                                                        from crypto/x509+
        io/ioutil                                                    from github.com/godbus/dbus/v5+
@@ -538,6 +540,8 @@ tailscale.com/cmd/tailscaled dependencies: (generated by github.com/tailscale/de
        syscall                                                      from crypto/rand+
        testing                                                      from tailscale.com/util/syspolicy
        text/tabwriter                                               from runtime/pprof
+        text/template                                                from html/template
+        text/template/parse                                          from html/template+
        time                                                         from compress/gzip+
        unicode                                                      from bytes+
        unicode/utf16                                                from crypto/x509+
--- a/cmd/tailscaled/taildrop.go
+++ b/cmd/tailscaled/taildrop.go
@@ -27,6 +27,7 @@ func configureTaildrop(logf logger.Logf, lb *ipnlocal.LocalBackend) {
 		} else {
 			logf("%s Taildrop: using %v", dg, path)
 			lb.SetDirectFileRoot(path)
+			lb.SetDirectFileDoFinalRename(true)
 		}
 	}

--- a/cmd/tailscaled/tailscaled.go
+++ b/cmd/tailscaled/tailscaled.go
@@ -332,11 +332,13 @@ func run() (err error) {
 	// Parse config, if specified, to fail early if it's invalid.
 	var conf *conffile.Config
 	if args.confFile != "" {
+		logf("loading config file")
 		conf, err = conffile.Load(args.confFile)
 		if err != nil {
 			return fmt.Errorf("error reading config file: %w", err)
 		}
 		sys.InitialConfig = conf
+		logf("loaded initial config: %#+v", string(sys.InitialConfig.Raw))
 	}

 	var netMon *netmon.Monitor
@@ -511,13 +513,7 @@ func getLocalBackend(ctx context.Context, logf logger.Logf, logID logid.PublicID
 			return ok
 		}
 		dialer.NetstackDialTCP = func(ctx context.Context, dst netip.AddrPort) (net.Conn, error) {
-			// Note: don't just return ns.DialContextTCP or we'll
-			// return an interface containing a nil pointer.
-			tcpConn, err := ns.DialContextTCP(ctx, dst)
-			if err != nil {
-				return nil, err
-			}
-			return tcpConn, nil
+			return ns.DialContextTCP(ctx, dst)
 		}
 	}
 	if socksListener != nil || httpProxyListener != nil {
--- a/control/controlclient/direct.go
+++ b/control/controlclient/direct.go
@@ -1044,7 +1044,7 @@ func (c *Direct) sendMapRequest(ctx context.Context, isStreaming bool, nu Netmap

 		var resp tailcfg.MapResponse
 		if err := c.decodeMsg(msg, &resp, machinePrivKey); err != nil {
-			vlogf("netmap: decode error: %v", err)
+			vlogf("netmap: decode error: %v")
 			return err
 		}
 		watchdogTimer.Stop()
--- a/control/controlclient/map.go
+++ b/control/controlclient/map.go
@@ -87,7 +87,6 @@ type mapSession struct {
 	lastPopBrowserURL      string
 	lastTKAInfo            *tailcfg.TKAInfo
 	lastNetmapSummary      string // from NetworkMap.VeryConcise
-	lastMaxExpiry          time.Duration
 }

 // newMapSession returns a mostly unconfigured new mapSession.
@@ -320,9 +319,6 @@ func (ms *mapSession) updateStateFromResponse(resp *tailcfg.MapResponse) {
 	if resp.TKAInfo != nil {
 		ms.lastTKAInfo = resp.TKAInfo
 	}
-	if resp.MaxKeyDuration > 0 {
-		ms.lastMaxExpiry = resp.MaxKeyDuration
-	}
 }

 var (
@@ -767,7 +763,6 @@ func (ms *mapSession) netmap() *netmap.NetworkMap {
 		DERPMap:           ms.lastDERPMap,
 		ControlHealth:     ms.lastHealth,
 		TKAEnabled:        ms.lastTKAInfo != nil && !ms.lastTKAInfo.Disabled,
-		MaxKeyDuration:    ms.lastMaxExpiry,
 	}

 	if ms.lastTKAInfo != nil && ms.lastTKAInfo.Head != "" {
--- a/control/controlknobs/controlknobs.go
+++ b/control/controlknobs/controlknobs.go
@@ -64,11 +64,6 @@ type Knobs struct {
 	// LinuxForceNfTables is whether the node should use nftables for Linux
 	// netfiltering, unless overridden by the user.
 	LinuxForceNfTables atomic.Bool
-
-	// SeamlessKeyRenewal is whether to enable the alpha functionality of
-	// renewing node keys without breaking connections.
-	// http://go/seamless-key-renewal
-	SeamlessKeyRenewal atomic.Bool
 }

 // UpdateFromNodeAttributes updates k (if non-nil) based on the provided self
@@ -94,7 +89,6 @@ func (k *Knobs) UpdateFromNodeAttributes(selfNodeAttrs []tailcfg.NodeCapability,
 		silentDisco                   = has(tailcfg.NodeAttrSilentDisco)
 		forceIPTables                 = has(tailcfg.NodeAttrLinuxMustUseIPTables)
 		forceNfTables                 = has(tailcfg.NodeAttrLinuxMustUseNfTables)
-		seamlessKeyRenewal            = has(tailcfg.NodeAttrSeamlessKeyRenewal)
 	)

 	if has(tailcfg.NodeAttrOneCGNATEnable) {
@@ -115,7 +109,6 @@ func (k *Knobs) UpdateFromNodeAttributes(selfNodeAttrs []tailcfg.NodeCapability,
 	k.SilentDisco.Store(silentDisco)
 	k.LinuxForceIPTables.Store(forceIPTables)
 	k.LinuxForceNfTables.Store(forceNfTables)
-	k.SeamlessKeyRenewal.Store(seamlessKeyRenewal)
 }

 // AsDebugJSON returns k as something that can be marshalled with json.Marshal
@@ -137,6 +130,5 @@ func (k *Knobs) AsDebugJSON() map[string]any {
 		"SilentDisco":                   k.SilentDisco.Load(),
 		"LinuxForceIPTables":            k.LinuxForceIPTables.Load(),
 		"LinuxForceNfTables":            k.LinuxForceNfTables.Load(),
-		"SeamlessKeyRenewal":            k.SeamlessKeyRenewal.Load(),
 	}
 }
--- a/docs/windows/policy/en-US/tailscale.adml
+++ b/docs/windows/policy/en-US/tailscale.adml
@@ -1,222 +0,0 @@
-<?xml version="1.0" encoding="utf-8"?>
-<policyDefinitionResources revision="1.0" schemaVersion="1.0"
-                           xmlns="http://www.microsoft.com/GroupPolicy/PolicyDefinitions">
-    <displayName>Tailscale</displayName>
-    <description>A set of policies that enforces particular settings in the Tailscale Windows client.</description>
-    <resources>
-        <stringTable>
-            <string id="TAILSCALE_PRODUCT">Tailscale</string>
-            <string id="SINCE_V1_22">Tailscale version 1.22.0 and later</string>
-            <string id="SINCE_V1_26">Tailscale version 1.26.0 and later</string>
-            <string id="SINCE_V1_50">Tailscale version 1.50.0 and later</string>
-            <string id="SINCE_V1_52">Tailscale version 1.52.0 and later</string>
-            <string id="SINCE_V1_56">Tailscale version 1.56.0 and later</string>
-            <string id="PARTIAL_FULL_SINCE_V1_56">Tailscale version 1.56.0 and later (full support), some earlier versions (partial support)</string>
-            <string id="SINCE_V1_58">Tailscale version 1.58.0 and later</string>
-            <string id="Tailscale_Category">Tailscale</string>
-            <string id="UI_Category">UI customization</string>
-            <string id="Settings_Category">Settings</string>
-            <string id="LoginURL">Require using a specific Tailscale coordination server</string>
-            <string id="LoginURL_Help"><![CDATA[This policy can be used to require the use of a particular Tailscale coordination server.
-See https://tailscale.com/kb/1315/mdm-keys#set-a-custom-control-server-url for more details.
-
-If you configure this policy, set it to the URL of your coordination server, beginning with https:// and ending with no trailing slash. If blank or "https://controlplane.tailscale.com", the default coordination server will be required.
-
-If you disable this policy, the Tailscale SaaS coordination server will be used by default, but a non-standard Tailscale coordination server can be configured using the CLI.]]></string>
-            <string id="LogTarget">Require using a specific Tailscale log server</string>
-            <string id="LogTarget_Help"><![CDATA[This policy can be used to require the use of a non-standard log server.
-Please note that using a non-standard log server will limit Tailscale Support's ability to diagnose problems.
-
-If you configure this policy, set it to the URL of your log server, beginning with https:// and ending with no trailing slash. If blank or "https://log.tailscale.io", the default log server will be used.
-
-If you disable this policy, the Tailscale standard log server will be used by default, but a non-standard Tailscale log server can be configured using the TS_LOG_TARGET environment variable.]]></string>
-            <string id="Tailnet">Specify which Tailnet should be used for Login</string>
-            <string id="Tailnet_Help"><![CDATA[This policy can be used to suggest or require a specific tailnet when opening the login page.
-See https://tailscale.com/kb/1315/mdm-keys#set-a-suggested-or-required-tailnet for more details.
-
-To suggest a tailnet at login time, set this to the name of the tailnet, as shown in the top-left of the admin panel, such as "example.com". That tailnet's SSO button will be shown prominently, along with the option to select a different tailnet.
-
-To require logging in to a particular tailnet, add the "required:" prefix, such as "required:example.com". The result is similar to the suggested tailnet but there will be no option to choose a different tailnet.
-
-If you configure this policy, set it to the name of the tailnet, possibly with the "required:" prefix, as described above.
-
-If you disable this policy, the standard login page will be used.]]></string>
-            <string id="ExitNodeID">Require using a specific Exit Node</string>
-            <string id="ExitNodeID_Help"><![CDATA[This policy can be used to require always using the specified Exit Node whenever the Tailscale client is connected.
-See https://tailscale.com/kb/1315/mdm-keys#force-an-exit-node-to-always-be-used and https://tailscale.com/kb/1103/exit-nodes for more details.
-
-If you enable this policy, set it to the ID of an exit node. The ID is visible on the Machines page of the admin console, or can be queried using the Tailscale API. If the specified exit node is unavailable, this device will have no Internet access unless Tailscale is disconnected.
-
-If you disable this policy or supply an empty exit node ID, then usage of exit nodes will be disallowed.
-
-If you do not configure this policy, no exit node will be used by default but an exit node (if one is available and permitted by ACLs) can be chosen by the user if desired.]]></string>
-            <string id="AllowIncomingConnections">Allow incoming connections</string>
-            <string id="AllowIncomingConnections_Help"><![CDATA[This policy can be used to require that the Allow Incoming Connections setting is configured a certain way.
-See https://tailscale.com/kb/1315/mdm-keys#set-whether-to-allow-incoming-connections and https://tailscale.com/kb/1072/client-preferences#allow-incoming-connections for more details.
-
-If you enable this policy, then Allow Incoming Connections is always enabled and the menu option is hidden.
-
-If you disable this policy, then Allow Incoming Connections is always disabled and the menu option is hidden.
-
-If you do not configure this policy, then Allow Incoming Connections depends on what is selected in the Preferences submenu.]]></string>
-            <string id="UnattendedMode">Run Tailscale in Unattended Mode</string>
-            <string id="UnattendedMode_Help"><![CDATA[This policy can be used to require that the Run Unattended setting is configured a certain way.
-See https://tailscale.com/kb/1315/mdm-keys#set-unattended-mode and https://tailscale.com/kb/1088/run-unattended for more details.
-
-If you enable this policy, then Run Unattended is always enabled and the menu option is hidden.
-
-If you disable this policy, then Run Unattended is always disabled and the menu option is hidden.
-
-If you do not configure this policy, then Run Unattended depends on what is selected in the Preferences submenu.]]></string>
-            <string id="ExitNodeAllowLANAccess">Allow Local Network Access when an Exit Node is in use</string>
-            <string id="ExitNodeAllowLANAccess_Help"><![CDATA[This policy can be used to require that the Allow Local Network Access setting is configured a certain way.
-See https://tailscale.com/kb/1315/mdm-keys#toggle-local-network-access-when-an-exit-node-is-in-use and https://tailscale.com/kb/1103/exit-nodes#step-4-use-the-exit-node for more details.
-
-If you enable this policy, then Allow Local Network Access is always enabled and the menu option is hidden.
-
-If you disable this policy, then Allow Local Network Access is always disabled and the menu option is hidden.
-
-If you do not configure this policy, then Allow Local Network Access depends on what is selected in the Exit Node submenu.]]></string>
-            <string id="UseTailscaleDNSSettings">Use Tailscale DNS Settings</string>
-            <string id="UseTailscaleDNSSettings_Help"><![CDATA[This policy can be used to require that Use Tailscale DNS is configured a certain way.
-See https://tailscale.com/kb/1315/mdm-keys#set-whether-the-device-uses-tailscale-dns-settings for more details.
-
-If you enable this policy, then Use Tailscale DNS is always enabled and the menu option is hidden.
-
-If you disable this policy, then Use Tailscale DNS is always disabled and the menu option is hidden.
-
-If you do not configure this policy, then Use Tailscale DNS depends on what is selected in the Preferences submenu.]]></string>
-            <string id="UseTailscaleSubnets">Use Tailscale Subnets</string>
-            <string id="UseTailscaleSubnets_Help"><![CDATA[This policy can be used to require that Use Tailscale Subnets is configured a certain way.
-See https://tailscale.com/kb/1315/mdm-keys#set-whether-the-device-accepts-tailscale-subnets or https://tailscale.com/kb/1019/subnets for more details.
-
-If you enable this policy, then Use Tailscale Subnets is always enabled and the menu option is hidden.
-
-If you disable this policy, then Use Tailscale Subnets is always disabled and the menu option is hidden.
-
-If you do not configure this policy, then Use Tailscale Subnets depends on what is selected in the Preferences submenu.]]></string>
-            <string id="InstallUpdates">Automatically install updates</string>
-            <string id="InstallUpdates_Help"><![CDATA[This policy can be used to require that Automatically Install Updates is configured a certain way.
-See https://tailscale.com/kb/1067/update#auto-updates for more details.
-
-If you enable this policy, then Automatically Install Updates is always enabled and the menu option is hidden.
-
-If you disable this policy, then Automatically Install Updates is always disabled and the menu option is hidden.
-
-If you do not configure this policy, then Automatically Install Updates depends on what is selected in the Preferences submenu.]]></string>
-            <string id="AdvertiseExitNode">Run Tailscale as an Exit Node</string>
-            <string id="AdvertiseExitNode_Help"><![CDATA[This policy can be used to require that Run Exit Node is configured a certain way.
-See https://tailscale.com/kb/1103/exit-nodes for more details.
-
-If you enable this policy, then Run Exit Node is always enabled and the menu option is hidden.
-
-If you disable this policy, then Run Exit Node is always disabled and the menu option is hidden.
-
-If you do not configure this policy, then Run Exit Node depends on what is selected in the Exit Node submenu.]]></string>
-            <string id="AdminPanel">Show the "Admin Panel" menu item</string>
-            <string id="AdminPanel_Help"><![CDATA[This policy can be used to show or hide the Admin Console item in the Tailscale Menu.
-
-If you enable or don't configure this policy, the Admin Console item will be shown in the Tailscale menu when available.
-
-If you disable this policy, the Admin Console item will always be hidden from the Tailscale menu.]]></string>
-            <string id="NetworkDevices">Show the "Network Devices" submenu</string>
-            <string id="NetworkDevices_Help"><![CDATA[This policy can be used to show or hide the Network Devices submenu in the Tailscale Menu.
-
-If you enable or don't configure this policy, the Network Devices submenu will be shown in the Tailscale menu.
-
-If you disable this policy, the Network Devices submenu will be hidden from the Tailscale menu. This does not affect other devices' visibility in the CLI.]]></string>
-            <string id="TestMenu">Show the "Debug" submenu</string>
-            <string id="TestMenu_Help"><![CDATA[This policy can be used to show or hide the Debug submenu of the Tailscale menu.
-See https://tailscale.com/kb/1315/mdm-keys#hide-the-debug-menu for more details.
-
-If you enable or don't configure this policy, the Debug submenu will be shown in the Tailscale menu when opened while holding Ctrl.
-
-If you disable this policy, the Debug submenu will be hidden from the Tailscale menu.]]></string>
-            <string id="UpdateMenu">Show the "Update Available" menu item</string>
-            <string id="UpdateMenu_Help"><![CDATA[This policy can be used to show or hide the Update Available item in the Tailscale Menu.
-See https://tailscale.com/kb/1315/mdm-keys#hide-the-update-menu for more details.
-
-If you enable or don't configure this policy, the Update Available item will be shown in the Tailscale menu when there is an update.
-
-If you disable this policy, the Update Available item will be hidden from the Tailscale menu.]]></string>
-            <string id="RunExitNode">Show the "Run Exit Node" menu item</string>
-            <string id="RunExitNode_Help"><![CDATA[This policy can be used to show or hide the Run Exit Node item in the Exit Node submenu.
-See https://tailscale.com/kb/1315/mdm-keys#hide-the-run-as-exit-node-menu-item for more details.
-This does not affect using the CLI to enable or disable advertising an exit node. If you wish to enable or disable this feature, see the Run Exit Node policy in the Settings category.
-
-If you enable or don't configure this policy, the Run Exit Node item will be shown in the Exit Node submenu.
-
-If you disable this policy, the Run Exit Node item will be hidden from the Exit Node submenu.]]></string>
-            <string id="PreferencesMenu">Show the "Preferences" submenu</string>
-            <string id="PreferencesMenu_Help"><![CDATA[This policy can be used to show or hide the Preferences submenu of the Tailscale menu.
-See https://tailscale.com/kb/1315/mdm-keys#hide-the-preferences-menu for more details.
-This does not affect using the CLI to modify that menu's preferences. If you wish to control those, look at the policies in the Settings category.
-
-If you enable or don't configure this policy, the Preferences submenu will be shown in the Tailscale menu.
-
-If you disable this policy, the Preferences submenu will be hidden from the Tailscale menu.]]></string>
-            <string id="ExitNodesPicker">Show the "Exit Node" submenu</string>
-            <string id="ExitNodesPicker_Help"><![CDATA[This policy can be used to show or hide the Exit Node submenu of the Tailscale menu.
-See https://tailscale.com/kb/1315/mdm-keys#hide-the-exit-node-picker for more details.
-This does not affect using the CLI to select or stop using an exit node. If you wish to control exit node usage, look at the "Require using a specific Exit Node" policy in the Settings category.
-
-If you enable or don't configure this policy, the Exit Node submenu will be shown in the Tailscale menu.
-
-If you disable this policy, the Exit Node submenu will be hidden from the Tailscale menu.]]></string>
-            <string id="KeyExpirationNoticeTime">Specify a custom key expiration notification time</string>
-            <string id="KeyExpirationNoticeTime_Help"><![CDATA[This policy can be used to configure how soon the notification appears before key expiry.
-See https://tailscale.com/kb/1315/mdm-keys#set-the-key-expiration-notice-period for more details.
-
-Time intervals must be specified as a Go Duration: for example, 24h, 5h25m30s. Time units larger than hours are unsupported.
-
-If you enable this policy and supply a valid time interval, the key expiry notification will begin to display when the current key has less than that amount of time remaining.
-
-If you disable or don't configure this policy, the default time period will be used (as of Tailscale 1.56, this is 24 hours).]]></string>
-            <string id="LogSCMInteractions">Log extra details about service events</string>
-            <string id="LogSCMInteractions_Help"><![CDATA[This policy can be used to enable additional logging related to Service Control Manager for debugging purposes.
-This should only be enabled if recommended by Tailscale Support.
-
-If you enable this policy, additional logging will be enabled for SCM events.
-
-If you disable or don't configure this policy, the normal amount of logging occurs.]]></string>
-            <string id="FlushDNSOnSessionUnlock">Flush the DNS cache on session unlock</string>
-            <string id="FlushDNSOnSessionUnlock_Help"><![CDATA[This policy can be used to enable additional DNS cache flushing for debugging purposes.
-This should only be enabled if recommended by Tailscale Support.
-
-If you enable this policy, the DNS cache will be flushed on session unlock in addition to when the DNS cache would normally be flushed.
-
-If you disable or don't configure this policy, the DNS cache is managed normally.]]></string>
-            <string id="PostureChecking">Collect data for posture checking</string>
-            <string id="PostureChecking_Help"><![CDATA[This policy can be used to require that the Posture Checking setting is configured a certain way.
-See https://tailscale.com/kb/1315/mdm-keys#enable-gathering-device-posture-data and https://tailscale.com/kb/1326/device-identity for more details.
-
-If you enable this policy, then data collection is always enabled.
-
-If you disable this policy, then data collection is always disabled.
-
-If you do not configure this policy, then data collection depends on if it has been enabled from the CLI (as of Tailscale 1.56), it may be present in the GUI in later versions.]]></string>
-        </stringTable>
-        <presentationTable>
-            <presentation id="LoginURL">
-                <textBox refId="LoginURLPrompt">
-                    <label>Coordination server</label>
-                </textBox>
-            </presentation>
-            <presentation id="LogTarget">
-                <textBox refId="LogTargetPrompt">
-                    <label>Log server</label>
-                </textBox>
-            </presentation>
-            <presentation id="Tailnet">
-                <textBox refId="TailnetPrompt">
-                    <label>Tailnet</label>
-                </textBox>
-            </presentation>
-            <presentation id="ExitNodeID">
-                <textBox refId="ExitNodeIDPrompt">
-                    <label>Exit Node</label>
-                </textBox>
-            </presentation>
-        </presentationTable>
-    </resources>
-</policyDefinitionResources>
--- a/docs/windows/policy/tailscale.admx
+++ b/docs/windows/policy/tailscale.admx
@@ -1,256 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<policyDefinitions revision="1.0" schemaVersion="1.0"
-                   xmlns="http://www.microsoft.com/GroupPolicy/PolicyDefinitions">
-  <policyNamespaces>
-    <target prefix="tailscale" namespace="Tailscale.Policies" />
-  </policyNamespaces>
-  <resources minRequiredRevision="1.0" />
-
-  <supportedOn>
-    <products>
-      <product name="TAILSCALE_PRODUCT" displayName="$(string.TAILSCALE_PRODUCT)">
-        <majorVersion name="TAILSCALE_V1" displayName="$(string.TAILSCALE_PRODUCT)" versionIndex="1" />
-      </product>
-    </products>
-
-    <definitions>
-      <definition name="SINCE_V1_22"
-                  displayName="$(string.SINCE_V1_22)">
-        <and><reference ref="TAILSCALE_PRODUCT"/></and>
-      </definition>
-      <definition name="SINCE_V1_26"
-                  displayName="$(string.SINCE_V1_26)">
-        <and><reference ref="TAILSCALE_PRODUCT"/></and>
-      </definition>
-      <definition name="SINCE_V1_50"
-                  displayName="$(string.SINCE_V1_50)">
-        <and><reference ref="TAILSCALE_PRODUCT"/></and>
-      </definition>
-      <definition name="SINCE_V1_52"
-                  displayName="$(string.SINCE_V1_52)">
-        <and><reference ref="TAILSCALE_PRODUCT"/></and>
-      </definition>
-      <definition name="PARTIAL_FULL_SINCE_V1_56"
-                  displayName="$(string.PARTIAL_FULL_SINCE_V1_56)">
-        <and><reference ref="TAILSCALE_PRODUCT"/></and>
-      </definition>
-      <definition name="SINCE_V1_56"
-                  displayName="$(string.SINCE_V1_56)">
-        <and><reference ref="TAILSCALE_PRODUCT"/></and>
-      </definition>
-      <definition name="SINCE_V1_58"
-                  displayName="$(string.SINCE_V1_58)">
-        <and><reference ref="TAILSCALE_PRODUCT"/></and>
-      </definition>
-    </definitions>
-  </supportedOn>
-  <categories>
-    <category name="Top_Category" displayName="$(string.Tailscale_Category)" />
-    <category name="UI_Category" displayName="$(string.UI_Category)">
-      <parentCategory ref="Top_Category" />
-    </category>
-    <category name="Settings_Category" displayName="$(string.Settings_Category)">
-      <parentCategory ref="Top_Category" />
-    </category>
-  </categories>
-  <policies>
-    <policy name="LoginURL" class="Machine" displayName="$(string.LoginURL)" explainText="$(string.LoginURL_Help)" presentation="$(presentation.LoginURL)" key="Software\Policies\Tailscale">
-      <parentCategory ref="Top_Category" />
-      <supportedOn ref="PARTIAL_FULL_SINCE_V1_56" />
-      <elements>
-        <text id="LoginURLPrompt" valueName="LoginURL" required="true" />
-      </elements>
-    </policy>
-    <policy name="LogTarget" class="Machine" displayName="$(string.LogTarget)" explainText="$(string.LogTarget_Help)" presentation="$(presentation.LogTarget)" key="Software\Policies\Tailscale">
-      <parentCategory ref="Top_Category" />
-      <supportedOn ref="SINCE_V1_58" />
-      <elements>
-        <text id="LogTargetPrompt" valueName="LogTarget" required="true" />
-      </elements>
-    </policy>
-    <policy name="Tailnet" class="Machine" displayName="$(string.Tailnet)" explainText="$(string.Tailnet_Help)" presentation="$(presentation.Tailnet)" key="Software\Policies\Tailscale">
-      <parentCategory ref="Top_Category" />
-      <supportedOn ref="SINCE_V1_52" />
-      <elements>
-        <text id="TailnetPrompt" valueName="Tailnet" required="true" />
-      </elements>
-    </policy>
-    <policy name="ExitNodeID" class="Machine" displayName="$(string.ExitNodeID)" explainText="$(string.ExitNodeID_Help)" presentation="$(presentation.ExitNodeID)" key="Software\Policies\Tailscale">
-      <parentCategory ref="Settings_Category" />
-      <supportedOn ref="SINCE_V1_56" />
-      <elements>
-        <text id="ExitNodeIDPrompt" valueName="ExitNodeID" required="true" />
-      </elements>
-    </policy>
-    <policy name="AllowIncomingConnections" class="Machine" displayName="$(string.AllowIncomingConnections)" explainText="$(string.AllowIncomingConnections_Help)" key="Software\Policies\Tailscale" valueName="AllowIncomingConnections">
-      <parentCategory ref="Settings_Category" />
-      <supportedOn ref="PARTIAL_FULL_SINCE_V1_56" />
-      <enabledValue>
-        <string>always</string>
-      </enabledValue>
-      <disabledValue>
-        <string>never</string>
-      </disabledValue>
-    </policy>
-    <policy name="UnattendedMode" class="Machine" displayName="$(string.UnattendedMode)" explainText="$(string.UnattendedMode_Help)" key="Software\Policies\Tailscale" valueName="UnattendedMode">
-      <parentCategory ref="Settings_Category" />
-      <supportedOn ref="PARTIAL_FULL_SINCE_V1_56" />
-      <enabledValue>
-        <string>always</string>
-      </enabledValue>
-      <disabledValue>
-        <string>never</string>
-      </disabledValue>
-    </policy>
-    <policy name="ExitNodeAllowLANAccess" class="Machine" displayName="$(string.ExitNodeAllowLANAccess)" explainText="$(string.ExitNodeAllowLANAccess_Help)" key="Software\Policies\Tailscale" valueName="ExitNodeAllowLANAccess">
-      <parentCategory ref="Settings_Category" />
-      <supportedOn ref="PARTIAL_FULL_SINCE_V1_56" />
-      <enabledValue>
-        <string>always</string>
-      </enabledValue>
-      <disabledValue>
-        <string>never</string>
-      </disabledValue>
-    </policy>
-    <policy name="UseTailscaleDNSSettings" class="Machine" displayName="$(string.UseTailscaleDNSSettings)" explainText="$(string.UseTailscaleDNSSettings_Help)" key="Software\Policies\Tailscale" valueName="UseTailscaleDNSSettings">
-      <parentCategory ref="Settings_Category" />
-      <supportedOn ref="PARTIAL_FULL_SINCE_V1_56" />
-      <enabledValue>
-        <string>always</string>
-      </enabledValue>
-      <disabledValue>
-        <string>never</string>
-      </disabledValue>
-    </policy>
-    <policy name="UseTailscaleSubnets" class="Machine" displayName="$(string.UseTailscaleSubnets)" explainText="$(string.UseTailscaleSubnets_Help)" key="Software\Policies\Tailscale" valueName="UseTailscaleSubnets">
-      <parentCategory ref="Settings_Category" />
-      <supportedOn ref="PARTIAL_FULL_SINCE_V1_56" />
-      <enabledValue>
-        <string>always</string>
-      </enabledValue>
-      <disabledValue>
-        <string>never</string>
-      </disabledValue>
-    </policy>
-    <policy name="InstallUpdates" class="Machine" displayName="$(string.InstallUpdates)" explainText="$(string.InstallUpdates_Help)" key="Software\Policies\Tailscale" valueName="InstallUpdates">
-      <parentCategory ref="Settings_Category" />
-      <supportedOn ref="PARTIAL_FULL_SINCE_V1_56" />
-      <enabledValue>
-        <string>always</string>
-      </enabledValue>
-      <disabledValue>
-        <string>never</string>
-      </disabledValue>
-    </policy>
-    <policy name="AdvertiseExitNode" class="Machine" displayName="$(string.AdvertiseExitNode)" explainText="$(string.AdvertiseExitNode_Help)" key="Software\Policies\Tailscale" valueName="AdvertiseExitNode">
-      <parentCategory ref="Settings_Category" />
-      <supportedOn ref="PARTIAL_FULL_SINCE_V1_56" />
-      <enabledValue>
-        <string>always</string>
-      </enabledValue>
-      <disabledValue>
-        <string>never</string>
-      </disabledValue>
-    </policy>
-    <policy name="PostureChecking" class="Machine" displayName="$(string.PostureChecking)" explainText="$(string.PostureChecking_Help)" key="Software\Policies\Tailscale" valueName="PostureChecking">
-      <parentCategory ref="Settings_Category" />
-      <supportedOn ref="PARTIAL_FULL_SINCE_V1_56" />
-      <enabledValue>
-        <string>always</string>
-      </enabledValue>
-      <disabledValue>
-        <string>never</string>
-      </disabledValue>
-    </policy>
-    <policy name="LogSCMInteractions" class="Machine" displayName="$(string.LogSCMInteractions)" explainText="$(string.LogSCMInteractions_Help)" key="Software\Policies\Tailscale" valueName="LogSCMInteractions">
-      <parentCategory ref="Top_Category" />
-      <supportedOn ref="SINCE_V1_26" />
-      <enabledValue>
-        <decimal value="1" />
-      </enabledValue>
-      <disabledValue>
-        <decimal value="0" />
-      </disabledValue>
-    </policy>
-    <policy name="FlushDNSOnSessionUnlock" class="Machine" displayName="$(string.FlushDNSOnSessionUnlock)" explainText="$(string.FlushDNSOnSessionUnlock_Help)" key="Software\Policies\Tailscale" valueName="FlushDNSOnSessionUnlock">
-      <parentCategory ref="Top_Category" />
-      <supportedOn ref="SINCE_V1_22" />
-      <enabledValue>
-        <decimal value="1" />
-      </enabledValue>
-      <disabledValue>
-        <decimal value="0" />
-      </disabledValue>
-    </policy>
-    <policy name="AdminPanel" class="Machine" displayName="$(string.AdminPanel)" explainText="$(string.AdminPanel_Help)" key="Software\Policies\Tailscale" valueName="AdminPanel">
-      <parentCategory ref="UI_Category" />
-      <supportedOn ref="SINCE_V1_22" />
-      <enabledValue>
-        <string>show</string>
-      </enabledValue>
-      <disabledValue>
-        <string>hide</string>
-      </disabledValue>
-    </policy>
-    <policy name="NetworkDevices" class="Machine" displayName="$(string.NetworkDevices)" explainText="$(string.NetworkDevices_Help)" key="Software\Policies\Tailscale" valueName="NetworkDevices">
-      <parentCategory ref="UI_Category" />
-      <supportedOn ref="SINCE_V1_22" />
-      <enabledValue>
-        <string>show</string>
-      </enabledValue>
-      <disabledValue>
-        <string>hide</string>
-      </disabledValue>
-    </policy>
-    <policy name="TestMenu" class="Machine" displayName="$(string.TestMenu)" explainText="$(string.TestMenu_Help)" key="Software\Policies\Tailscale" valueName="TestMenu">
-      <parentCategory ref="UI_Category" />
-      <supportedOn ref="SINCE_V1_22" />
-      <enabledValue>
-        <string>show</string>
-      </enabledValue>
-      <disabledValue>
-        <string>hide</string>
-      </disabledValue>
-    </policy>
-    <policy name="UpdateMenu" class="Machine" displayName="$(string.UpdateMenu)" explainText="$(string.UpdateMenu_Help)" key="Software\Policies\Tailscale" valueName="UpdateMenu">
-      <parentCategory ref="UI_Category" />
-      <supportedOn ref="SINCE_V1_22" />
-      <enabledValue>
-        <string>show</string>
-      </enabledValue>
-      <disabledValue>
-        <string>hide</string>
-      </disabledValue>
-    </policy>
-    <policy name="RunExitNode" class="Machine" displayName="$(string.RunExitNode)" explainText="$(string.RunExitNode_Help)" key="Software\Policies\Tailscale" valueName="RunExitNode">
-      <parentCategory ref="UI_Category" />
-      <supportedOn ref="SINCE_V1_22" />
-      <enabledValue>
-        <string>show</string>
-      </enabledValue>
-      <disabledValue>
-        <string>hide</string>
-      </disabledValue>
-    </policy>
-    <policy name="PreferencesMenu" class="Machine" displayName="$(string.PreferencesMenu)" explainText="$(string.PreferencesMenu_Help)" key="Software\Policies\Tailscale" valueName="PreferencesMenu">
-      <parentCategory ref="UI_Category" />
-      <supportedOn ref="SINCE_V1_22" />
-      <enabledValue>
-        <string>show</string>
-      </enabledValue>
-      <disabledValue>
-        <string>hide</string>
-      </disabledValue>
-    </policy>
-    <policy name="ExitNodesPicker" class="Machine" displayName="$(string.ExitNodesPicker)" explainText="$(string.ExitNodesPicker_Help)" key="Software\Policies\Tailscale" valueName="ExitNodesPicker">
-      <parentCategory ref="UI_Category" />
-      <supportedOn ref="SINCE_V1_22" />
-      <enabledValue>
-        <string>show</string>
-      </enabledValue>
-      <disabledValue>
-        <string>hide</string>
-      </disabledValue>
-    </policy>
-  </policies>
-</policyDefinitions>
--- a/go.mod
+++ b/go.mod
@@ -61,7 +61,6 @@ require (
 	github.com/safchain/ethtool v0.3.0
 	github.com/skip2/go-qrcode v0.0.0-20200617195104-da1b6568686e
 	github.com/tailscale/certstore v0.1.1-0.20231202035212-d3fa0460f47e
-	github.com/tailscale/csrf v0.0.0-20240109230941-966d36861f16
 	github.com/tailscale/depaware v0.0.0-20210622194025-720c4b409502
 	github.com/tailscale/goexpect v0.0.0-20210902213824-6e8c725cea41
 	github.com/tailscale/golang-x-crypto v0.0.0-20230713185742-f0b76a10a08e
@@ -115,7 +114,7 @@ require (
 	github.com/dave/brenda v1.1.0 // indirect
 	github.com/gobuffalo/flect v1.0.2 // indirect
 	github.com/google/gnostic-models v0.6.9-0.20230804172637-c7be7c783f49 // indirect
-	github.com/gorilla/securecookie v1.1.2 // indirect
+	github.com/gorilla/securecookie v1.1.1 // indirect
 )

 require (
@@ -225,6 +224,7 @@ require (
 	github.com/gordonklaus/ineffassign v0.0.0-20230107090616-13ace0543b28 // indirect
 	github.com/goreleaser/chglog v0.5.0 // indirect
 	github.com/goreleaser/fileglob v1.3.0 // indirect
+	github.com/gorilla/csrf v1.7.1
 	github.com/gostaticanalysis/analysisutil v0.7.1 // indirect
 	github.com/gostaticanalysis/comment v1.4.2 // indirect
 	github.com/gostaticanalysis/forcetypeassert v0.1.0 // indirect
--- a/go.sum
+++ b/go.sum
@@ -496,8 +496,10 @@ github.com/goreleaser/fileglob v1.3.0 h1:/X6J7U8lbDpQtBvGcwwPS6OpzkNVlVEsFUVRx9+
 github.com/goreleaser/fileglob v1.3.0/go.mod h1:Jx6BoXv3mbYkEzwm9THo7xbr5egkAraxkGorbJb4RxU=
 github.com/goreleaser/nfpm/v2 v2.33.1 h1:EkdAzZyVhAI9JC1vjmjjbmnNzyH1J6Cu4JCsA7YcQuc=
 github.com/goreleaser/nfpm/v2 v2.33.1/go.mod h1:8wwWWvJWmn84xo/Sqiv0aMvEGTHlHZTXTEuVSgQpkIM=
-github.com/gorilla/securecookie v1.1.2 h1:YCIWL56dvtr73r6715mJs5ZvhtnY73hBvEF8kXD8ePA=
-github.com/gorilla/securecookie v1.1.2/go.mod h1:NfCASbcHqRSY+3a8tlWJwsQap2VX5pwzwo4h3eOamfo=
+github.com/gorilla/csrf v1.7.1 h1:Ir3o2c1/Uzj6FBxMlAUB6SivgVMy1ONXwYgXn+/aHPE=
+github.com/gorilla/csrf v1.7.1/go.mod h1:+a/4tCmqhG6/w4oafeAZ9pEa3/NZOWYVbD9fV0FwIQA=
+github.com/gorilla/securecookie v1.1.1 h1:miw7JPhV+b/lAHSXz4qd/nN9jRiAFV5FwjeKyCS8BvQ=
+github.com/gorilla/securecookie v1.1.1/go.mod h1:ra0sb63/xPlUeL+yeDciTfxMRAA+MP+HVt/4epWDjd4=
 github.com/gorilla/websocket v1.4.1/go.mod h1:YR8l580nyteQvAITg2hZ9XVh4b55+EU/adAjf1fMHhE=
 github.com/gorilla/websocket v1.4.2 h1:+/TMaTYc4QFitKJxsQ7Yye35DkWvkdLcvGKqM+x0Ufc=
 github.com/gorilla/websocket v1.4.2/go.mod h1:YR8l580nyteQvAITg2hZ9XVh4b55+EU/adAjf1fMHhE=
@@ -880,8 +882,6 @@ github.com/t-yuki/gocover-cobertura v0.0.0-20180217150009-aaee18c8195c h1:+aPplB
 github.com/t-yuki/gocover-cobertura v0.0.0-20180217150009-aaee18c8195c/go.mod h1:SbErYREK7xXdsRiigaQiQkI9McGRzYMvlKYaP3Nimdk=
 github.com/tailscale/certstore v0.1.1-0.20231202035212-d3fa0460f47e h1:PtWT87weP5LWHEY//SWsYkSO3RWRZo4OSWagh3YD2vQ=
 github.com/tailscale/certstore v0.1.1-0.20231202035212-d3fa0460f47e/go.mod h1:XrBNfAFN+pwoWuksbFS9Ccxnopa15zJGgXRFN90l3K4=
-github.com/tailscale/csrf v0.0.0-20240109230941-966d36861f16 h1:ALxSJ4KoXENNx1f3L+LD/QuY/FpWadzAMtWIa1Po+jk=
-github.com/tailscale/csrf v0.0.0-20240109230941-966d36861f16/go.mod h1:DkNNZmUscMpGHYJVVqyAqMVY6goWltxvnDSMKuDsxlU=
 github.com/tailscale/depaware v0.0.0-20210622194025-720c4b409502 h1:34icjjmqJ2HPjrSuJYEkdZ+0ItmGQAQ75cRHIiftIyE=
 github.com/tailscale/depaware v0.0.0-20210622194025-720c4b409502/go.mod h1:p9lPsd+cx33L3H9nNoecRRxPssFKUwwI50I3pZ0yT+8=
 github.com/tailscale/go-winio v0.0.0-20231025203758-c4f33415bf55 h1:Gzfnfk2TWrk8Jj4P4c1a3CtQyMaTVCznlkLZI++hok4=
--- a/ipn/backend.go
+++ b/ipn/backend.go
@@ -175,7 +175,6 @@ type PartialFile struct {
 	// in-progress '*.partial' file's path when the peerapi isn't
 	// being used; see LocalBackend.SetDirectFileRoot.
 	PartialPath string `json:",omitempty"`
-	FinalPath   string `json:",omitempty"`

 	// Done is set in "direct" mode when the partial file has been
 	// closed and is ready for the caller to rename away the
--- a/ipn/ipnlocal/local.go
+++ b/ipn/ipnlocal/local.go
@@ -265,8 +265,9 @@ type LocalBackend struct {
 	// It's also used on several NAS platforms (Synology, TrueNAS, etc)
 	// but in that case DoFinalRename is also set true, which moves the
 	// *.partial file to its final name on completion.
-	directFileRoot    string
-	componentLogUntil map[string]componentLogState
+	directFileRoot          string
+	directFileDoFinalRename bool // false on macOS, true on several NAS platforms
+	componentLogUntil       map[string]componentLogState
 	// c2nUpdateStatus is the status of c2n-triggered client update.
 	c2nUpdateStatus     updateStatus
 	currentUser         ipnauth.WindowsToken
@@ -340,6 +341,7 @@ func NewLocalBackend(logf logger.Logf, logID logid.PublicID, sys *tsd.System, lo
 	}

 	if sys.InitialConfig != nil {
+		log.Printf("Found initial config")
 		p := pm.CurrentPrefs().AsStruct()
 		mp, err := sys.InitialConfig.Parsed.ToPrefs()
 		if err != nil {
@@ -539,6 +541,17 @@ func (b *LocalBackend) SetDirectFileRoot(dir string) {
 	b.directFileRoot = dir
 }

+// SetDirectFileDoFinalRename sets whether the peerapi file server should rename
+// a received "name.partial" file to "name" when the download is complete.
+//
+// This only applies when SetDirectFileRoot is non-empty.
+// The default is false.
+func (b *LocalBackend) SetDirectFileDoFinalRename(v bool) {
+	b.mu.Lock()
+	defer b.mu.Unlock()
+	b.directFileDoFinalRename = v
+}
+
 // ReloadConfig reloads the backend's config from disk.
 //
 // It returns (false, nil) if not running in declarative mode, (true, nil) on
@@ -1062,11 +1075,9 @@ func (b *LocalBackend) SetControlClientStatus(c controlclient.Client, st control
 		b.blockEngineUpdates(false)
 	}

-	if st.LoginFinished() && (wasBlocked || b.seamlessRenewalEnabled()) {
-		if wasBlocked {
-			// Auth completed, unblock the engine
-			b.blockEngineUpdates(false)
-		}
+	if st.LoginFinished() && wasBlocked {
+		// Auth completed, unblock the engine
+		b.blockEngineUpdates(false)
 		b.authReconfig()
 		b.send(ipn.Notify{LoginFinished: &empty.Message{}})
 	}
@@ -1098,7 +1109,7 @@ func (b *LocalBackend) SetControlClientStatus(c controlclient.Client, st control
 		b.authURL = st.URL
 		b.authURLSticky = st.URL
 	}
-	if (wasBlocked || b.seamlessRenewalEnabled()) && st.LoginFinished() {
+	if wasBlocked && st.LoginFinished() {
 		// Interactive login finished successfully (URL visited).
 		// After an interactive login, the user always wants
 		// WantRunning.
@@ -2446,10 +2457,8 @@ func (b *LocalBackend) popBrowserAuthNow() {

 	b.logf("popBrowserAuthNow: url=%v", url != "")

-	if !b.seamlessRenewalEnabled() {
-		b.blockEngineUpdates(true)
-		b.stopEngineAndWait()
-	}
+	b.blockEngineUpdates(true)
+	b.stopEngineAndWait()
 	b.tellClientToBrowseToURL(url)
 	if b.State() == ipn.Running {
 		b.enterState(ipn.Starting)
@@ -3865,12 +3874,13 @@ func (b *LocalBackend) initPeerAPIListener() {
 	ps := &peerAPIServer{
 		b: b,
 		taildrop: taildrop.ManagerOptions{
-			Logf:           b.logf,
-			Clock:          tstime.DefaultClock{Clock: b.clock},
-			State:          b.store,
-			Dir:            fileRoot,
-			DirectFileMode: b.directFileRoot != "",
-			SendFileNotify: b.sendFileNotify,
+			Logf:             b.logf,
+			Clock:            tstime.DefaultClock{Clock: b.clock},
+			State:            b.store,
+			Dir:              fileRoot,
+			DirectFileMode:   b.directFileRoot != "",
+			AvoidFinalRename: !b.directFileDoFinalRename,
+			SendFileNotify:   b.sendFileNotify,
 		}.New(),
 	}
 	if dm, ok := b.sys.DNSManager.GetOK(); ok {
@@ -4167,9 +4177,6 @@ func (b *LocalBackend) enterStateLockedOnEntry(newState ipn.State) {
 	switch newState {
 	case ipn.NeedsLogin:
 		systemd.Status("Needs login: %s", authURL)
-		if b.seamlessRenewalEnabled() {
-			break
-		}
 		b.blockEngineUpdates(true)
 		fallthrough
 	case ipn.Stopped:
@@ -5795,14 +5802,6 @@ func (b *LocalBackend) AdvertiseRoute(ipp netip.Prefix) error {
 	return err
 }

-// seamlessRenewalEnabled reports whether seamless key renewals are enabled
-// (i.e. we saw our self node with the SeamlessKeyRenewal attr in a netmap).
-// This enables beta functionality of renewing node keys without breaking
-// connections.
-func (b *LocalBackend) seamlessRenewalEnabled() bool {
-	return b.ControlKnobs().SeamlessKeyRenewal.Load()
-}
-
 var (
 	disallowedAddrs = []netip.Addr{
 		netip.MustParseAddr("::1"),
--- a/ipn/ipnlocal/profiles.go
+++ b/ipn/ipnlocal/profiles.go
@@ -8,6 +8,7 @@ import (
 	"encoding/json"
 	"errors"
 	"fmt"
+	"log"
 	"math/rand"
 	"runtime"
 	"slices"
@@ -209,9 +210,11 @@ func init() {
 // is logged into so that we can keep track of things like their domain name
 // across user switches to disambiguate the same account but a different tailnet.
 func (pm *profileManager) SetPrefs(prefsIn ipn.PrefsView, np ipn.NetworkProfile) error {
+	log.Printf("set prefs")
 	prefs := prefsIn.AsStruct()
 	newPersist := prefs.Persist
 	if newPersist == nil || newPersist.NodeID == "" || newPersist.UserProfile.LoginName == "" {
+		log.Printf("prefs: ignore profile")
 		// We don't know anything about this profile, so ignore it for now.
 		return pm.setPrefsLocked(prefs.View())
 	}
@@ -220,6 +223,7 @@ func (pm *profileManager) SetPrefs(prefsIn ipn.PrefsView, np ipn.NetworkProfile)
 		up.DisplayName = up.LoginName
 	}
 	cp := pm.currentProfile
+	log.Printf("current profile: %v", cp.UserProfile)
 	// Check if we already have an existing profile that matches the user/node.
 	if existing := pm.findMatchingProfiles(prefs); len(existing) > 0 {
 		// We already have a profile for this user/node we should reuse it. Also
@@ -256,12 +260,15 @@ func (pm *profileManager) SetPrefs(prefsIn ipn.PrefsView, np ipn.NetworkProfile)
 	pm.knownProfiles[cp.ID] = cp
 	pm.currentProfile = cp
 	if err := pm.writeKnownProfiles(); err != nil {
+		log.Printf("error writing known profiles")
 		return err
 	}
 	if err := pm.setAsUserSelectedProfileLocked(); err != nil {
+		log.Printf("error locking profile")
 		return err
 	}
 	if err := pm.setPrefsLocked(prefs.View()); err != nil {
+		log.Printf("error viewing prefs")
 		return err
 	}
 	return nil
--- a/ipn/localapi/localapi.go
+++ b/ipn/localapi/localapi.go
@@ -80,7 +80,6 @@ var handler = map[string]localAPIHandler{
 	"component-debug-logging":     (*Handler).serveComponentDebugLogging,
 	"debug":                       (*Handler).serveDebug,
 	"debug-derp-region":           (*Handler).serveDebugDERPRegion,
-	"debug-dial-types":            (*Handler).serveDebugDialTypes,
 	"debug-packet-filter-matches": (*Handler).serveDebugPacketFilterMatches,
 	"debug-packet-filter-rules":   (*Handler).serveDebugPacketFilterRules,
 	"debug-portmap":               (*Handler).serveDebugPortmap,
@@ -841,76 +840,6 @@ func (h *Handler) serveComponentDebugLogging(w http.ResponseWriter, r *http.Requ
 	json.NewEncoder(w).Encode(res)
 }

-func (h *Handler) serveDebugDialTypes(w http.ResponseWriter, r *http.Request) {
-	if !h.PermitWrite {
-		http.Error(w, "debug-dial-types access denied", http.StatusForbidden)
-		return
-	}
-	if r.Method != httpm.POST {
-		http.Error(w, "only POST allowed", http.StatusMethodNotAllowed)
-		return
-	}
-
-	ip := r.FormValue("ip")
-	port := r.FormValue("port")
-	network := r.FormValue("network")
-
-	addr := ip + ":" + port
-	if _, err := netip.ParseAddrPort(addr); err != nil {
-		w.WriteHeader(http.StatusBadRequest)
-		fmt.Fprintf(w, "invalid address %q: %v", addr, err)
-		return
-	}
-
-	ctx, cancel := context.WithTimeout(r.Context(), 5*time.Second)
-	defer cancel()
-
-	var bareDialer net.Dialer
-
-	dialer := h.b.Dialer()
-
-	var peerDialer net.Dialer
-	peerDialer.Control = dialer.PeerDialControlFunc()
-
-	// Kick off a dial with each available dialer in parallel.
-	dialers := []struct {
-		name string
-		dial func(context.Context, string, string) (net.Conn, error)
-	}{
-		{"SystemDial", dialer.SystemDial},
-		{"UserDial", dialer.UserDial},
-		{"PeerDial", peerDialer.DialContext},
-		{"BareDial", bareDialer.DialContext},
-	}
-	type result struct {
-		name string
-		conn net.Conn
-		err  error
-	}
-	results := make(chan result, len(dialers))
-
-	var wg sync.WaitGroup
-	for _, dialer := range dialers {
-		dialer := dialer // loop capture
-
-		wg.Add(1)
-		go func() {
-			defer wg.Done()
-			conn, err := dialer.dial(ctx, network, addr)
-			results <- result{dialer.name, conn, err}
-		}()
-	}
-
-	wg.Wait()
-	for i := 0; i < len(dialers); i++ {
-		res := <-results
-		fmt.Fprintf(w, "[%s] connected=%v err=%v\n", res.name, res.conn != nil, res.err)
-		if res.conn != nil {
-			res.conn.Close()
-		}
-	}
-}
-
 // servePprofFunc is the implementation of Handler.servePprof, after auth,
 // for platforms where we want to link it in.
 var servePprofFunc func(http.ResponseWriter, *http.Request)
--- a/ipn/prefs.go
+++ b/ipn/prefs.go
@@ -26,7 +26,6 @@ import (
 	"tailscale.com/types/preftype"
 	"tailscale.com/types/views"
 	"tailscale.com/util/dnsname"
-	"tailscale.com/util/syspolicy"
 )

 // DefaultControlURL is the URL base of the control plane
@@ -638,16 +637,11 @@ func (p PrefsView) ControlURLOrDefault() string {
 // If not configured, or if the configured value is a legacy name equivalent to
 // the default, then DefaultControlURL is returned instead.
 func (p *Prefs) ControlURLOrDefault() string {
-	controlURL, err := syspolicy.GetString(syspolicy.ControlURL, p.ControlURL)
-	if err != nil {
-		controlURL = p.ControlURL
-	}
-
-	if controlURL != "" {
-		if controlURL != DefaultControlURL && IsLoginServerSynonym(controlURL) {
+	if p.ControlURL != "" {
+		if p.ControlURL != DefaultControlURL && IsLoginServerSynonym(p.ControlURL) {
 			return DefaultControlURL
 		}
-		return controlURL
+		return p.ControlURL
 	}
 	return DefaultControlURL
 }
--- a/k8s-operator/apis/v1alpha1/types_connector.go
+++ b/k8s-operator/apis/v1alpha1/types_connector.go
@@ -47,14 +47,14 @@ type ConnectorList struct {
 }

 // ConnectorSpec describes a Tailscale node to be deployed in the cluster.
-// +kubebuilder:validation:XValidation:rule="has(self.subnetRouter) || self.exitNode == true",message="A Connector needs to be either an exit node or a subnet router, or both."
+// +kubebuilder:validation:XValidation:rule="has(self.subnetRouter) || self.isExitNode == true",message="A Connector needs to be either an exit node or a subnet router, or both."
 type ConnectorSpec struct {
 	// Tags that the Tailscale node will be tagged with.
 	// Defaults to [tag:k8s].
 	// To autoapprove the subnet routes or exit node defined by a Connector,
 	// you can configure Tailscale ACLs to give these tags the necessary
 	// permissions.
-	// See https://tailscale.com/kb/1018/acls/#auto-approvers-for-routes-and-exit-nodes.
+	// See https://tailscale.com/kb/1018/acls/#auto-approvers-for-routes-and-exit-nodes
 	// If you specify custom tags here, you must also make the operator an owner of these tags.
 	// See  https://tailscale.com/kb/1236/kubernetes-operator/#setting-up-the-kubernetes-operator.
 	// Tags cannot be changed once a Connector node has been created.
@@ -62,7 +62,7 @@ type ConnectorSpec struct {
 	// +optional
 	Tags Tags `json:"tags,omitempty"`
 	// Hostname is the tailnet hostname that should be assigned to the
-	// Connector node. If unset, hostname defaults to <connector
+	// Connector node. If unset, hostname is defaulted to <connector
 	// name>-connector. Hostname can contain lower case letters, numbers and
 	// dashes, it must not start or end with a dash and must be between 2
 	// and 63 characters long.
@@ -73,21 +73,21 @@ type ConnectorSpec struct {
 	// https://tailscale.com/kb/1019/subnets/
 	// +optional
 	SubnetRouter *SubnetRouter `json:"subnetRouter"`
-	// ExitNode defines whether the Connector node should act as a
+	// IsExitNode defines whether the Connector node should act as a
 	// Tailscale exit node. Defaults to false.
 	// https://tailscale.com/kb/1103/exit-nodes
 	// +optional
-	ExitNode bool `json:"exitNode"`
+	IsExitNode bool `json:"isExitNode"`
 }

 // SubnetRouter defines subnet routes that should be exposed to tailnet via a
 // Connector node.
 type SubnetRouter struct {
-	// AdvertiseRoutes refer to CIDRs that the subnet router should make
+	// Routes refer to in-cluster CIDRs that the subnet router should make
 	// available. Route values must be strings that represent a valid IPv4
 	// or IPv6 CIDR range. Values can be Tailscale 4via6 subnet routes.
 	// https://tailscale.com/kb/1201/4via6-subnets/
-	AdvertiseRoutes Routes `json:"advertiseRoutes"`
+	Routes Routes `json:"routes"`
 }

 type Tags []Tag
@@ -100,13 +100,9 @@ func (tags Tags) Stringify() []string {
 	return stringTags
 }

-// +kubebuilder:validation:MinItems=1
 type Routes []Route

 func (routes Routes) Stringify() string {
-	if len(routes) < 1 {
-		return ""
-	}
 	var sb strings.Builder
 	sb.WriteString(string(routes[0]))
 	for _, r := range routes[1:] {
--- a/k8s-operator/apis/v1alpha1/zz_generated.deepcopy.go
+++ b/k8s-operator/apis/v1alpha1/zz_generated.deepcopy.go
@@ -158,8 +158,8 @@ func (in Routes) DeepCopy() Routes {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *SubnetRouter) DeepCopyInto(out *SubnetRouter) {
 	*out = *in
-	if in.AdvertiseRoutes != nil {
-		in, out := &in.AdvertiseRoutes, &out.AdvertiseRoutes
+	if in.Routes != nil {
+		in, out := &in.Routes, &out.Routes
 		*out = make(Routes, len(*in))
 		copy(*out, *in)
 	}
--- a/licenses/apple.md
+++ b/licenses/apple.md
@@ -41,9 +41,9 @@ and [iOS][].  See also the dependencies in the [Tailscale CLI][].
 - [github.com/jmespath/go-jmespath](https://pkg.go.dev/github.com/jmespath/go-jmespath) ([Apache-2.0](https://github.com/jmespath/go-jmespath/blob/v0.4.0/LICENSE))
 - [github.com/josharian/native](https://pkg.go.dev/github.com/josharian/native) ([MIT](https://github.com/josharian/native/blob/5c7d0dd6ab86/license))
 - [github.com/jsimonetti/rtnetlink](https://pkg.go.dev/github.com/jsimonetti/rtnetlink) ([MIT](https://github.com/jsimonetti/rtnetlink/blob/v1.3.5/LICENSE.md))
- - [github.com/klauspost/compress](https://pkg.go.dev/github.com/klauspost/compress) ([Apache-2.0](https://github.com/klauspost/compress/blob/v1.17.4/LICENSE))
- - [github.com/klauspost/compress/internal/snapref](https://pkg.go.dev/github.com/klauspost/compress/internal/snapref) ([BSD-3-Clause](https://github.com/klauspost/compress/blob/v1.17.4/internal/snapref/LICENSE))
- - [github.com/klauspost/compress/zstd/internal/xxhash](https://pkg.go.dev/github.com/klauspost/compress/zstd/internal/xxhash) ([MIT](https://github.com/klauspost/compress/blob/v1.17.4/zstd/internal/xxhash/LICENSE.txt))
+ - [github.com/klauspost/compress](https://pkg.go.dev/github.com/klauspost/compress) ([Apache-2.0](https://github.com/klauspost/compress/blob/v1.17.0/LICENSE))
+ - [github.com/klauspost/compress/internal/snapref](https://pkg.go.dev/github.com/klauspost/compress/internal/snapref) ([BSD-3-Clause](https://github.com/klauspost/compress/blob/v1.17.0/internal/snapref/LICENSE))
+ - [github.com/klauspost/compress/zstd/internal/xxhash](https://pkg.go.dev/github.com/klauspost/compress/zstd/internal/xxhash) ([MIT](https://github.com/klauspost/compress/blob/v1.17.0/zstd/internal/xxhash/LICENSE.txt))
 - [github.com/kortschak/wol](https://pkg.go.dev/github.com/kortschak/wol) ([BSD-3-Clause](https://github.com/kortschak/wol/blob/da482cc4850a/LICENSE))
 - [github.com/mdlayher/genetlink](https://pkg.go.dev/github.com/mdlayher/genetlink) ([MIT](https://github.com/mdlayher/genetlink/blob/v1.3.2/LICENSE.md))
 - [github.com/mdlayher/netlink](https://pkg.go.dev/github.com/mdlayher/netlink) ([MIT](https://github.com/mdlayher/netlink/blob/v1.7.2/LICENSE.md))
--- a/licenses/tailscale.md
+++ b/licenses/tailscale.md
@@ -53,9 +53,9 @@ Some packages may only be included on certain architectures or operating systems
 - [github.com/josharian/native](https://pkg.go.dev/github.com/josharian/native) ([MIT](https://github.com/josharian/native/blob/5c7d0dd6ab86/license))
 - [github.com/jsimonetti/rtnetlink](https://pkg.go.dev/github.com/jsimonetti/rtnetlink) ([MIT](https://github.com/jsimonetti/rtnetlink/blob/v1.3.5/LICENSE.md))
 - [github.com/kballard/go-shellquote](https://pkg.go.dev/github.com/kballard/go-shellquote) ([MIT](https://github.com/kballard/go-shellquote/blob/95032a82bc51/LICENSE))
- - [github.com/klauspost/compress](https://pkg.go.dev/github.com/klauspost/compress) ([Apache-2.0](https://github.com/klauspost/compress/blob/v1.17.4/LICENSE))
- - [github.com/klauspost/compress/internal/snapref](https://pkg.go.dev/github.com/klauspost/compress/internal/snapref) ([BSD-3-Clause](https://github.com/klauspost/compress/blob/v1.17.4/internal/snapref/LICENSE))
- - [github.com/klauspost/compress/zstd/internal/xxhash](https://pkg.go.dev/github.com/klauspost/compress/zstd/internal/xxhash) ([MIT](https://github.com/klauspost/compress/blob/v1.17.4/zstd/internal/xxhash/LICENSE.txt))
+ - [github.com/klauspost/compress](https://pkg.go.dev/github.com/klauspost/compress) ([Apache-2.0](https://github.com/klauspost/compress/blob/v1.17.0/LICENSE))
+ - [github.com/klauspost/compress/internal/snapref](https://pkg.go.dev/github.com/klauspost/compress/internal/snapref) ([BSD-3-Clause](https://github.com/klauspost/compress/blob/v1.17.0/internal/snapref/LICENSE))
+ - [github.com/klauspost/compress/zstd/internal/xxhash](https://pkg.go.dev/github.com/klauspost/compress/zstd/internal/xxhash) ([MIT](https://github.com/klauspost/compress/blob/v1.17.0/zstd/internal/xxhash/LICENSE.txt))
 - [github.com/kortschak/wol](https://pkg.go.dev/github.com/kortschak/wol) ([BSD-3-Clause](https://github.com/kortschak/wol/blob/da482cc4850a/LICENSE))
 - [github.com/kr/fs](https://pkg.go.dev/github.com/kr/fs) ([BSD-3-Clause](https://github.com/kr/fs/blob/v0.1.0/LICENSE))
 - [github.com/mattn/go-colorable](https://pkg.go.dev/github.com/mattn/go-colorable) ([MIT](https://github.com/mattn/go-colorable/blob/v0.1.13/LICENSE))
@@ -77,7 +77,7 @@ Some packages may only be included on certain architectures or operating systems
 - [github.com/tailscale/golang-x-crypto](https://pkg.go.dev/github.com/tailscale/golang-x-crypto) ([BSD-3-Clause](https://github.com/tailscale/golang-x-crypto/blob/f0b76a10a08e/LICENSE))
 - [github.com/tailscale/hujson](https://pkg.go.dev/github.com/tailscale/hujson) ([BSD-3-Clause](https://github.com/tailscale/hujson/blob/20486734a56a/LICENSE))
 - [github.com/tailscale/netlink](https://pkg.go.dev/github.com/tailscale/netlink) ([Apache-2.0](https://github.com/tailscale/netlink/blob/cabfb018fe85/LICENSE))
- - [github.com/tailscale/web-client-prebuilt](https://pkg.go.dev/github.com/tailscale/web-client-prebuilt) ([BSD-3-Clause](https://github.com/tailscale/web-client-prebuilt/blob/a4fa669015b2/LICENSE))
+ - [github.com/tailscale/web-client-prebuilt](https://pkg.go.dev/github.com/tailscale/web-client-prebuilt) ([BSD-3-Clause](https://github.com/tailscale/web-client-prebuilt/blob/3a45625fe806/LICENSE))
 - [github.com/tailscale/wireguard-go](https://pkg.go.dev/github.com/tailscale/wireguard-go) ([MIT](https://github.com/tailscale/wireguard-go/blob/cc193a0b3272/LICENSE))
 - [github.com/tcnksm/go-httpstat](https://pkg.go.dev/github.com/tcnksm/go-httpstat) ([MIT](https://github.com/tcnksm/go-httpstat/blob/v0.2.0/LICENSE))
 - [github.com/toqueteos/webbrowser](https://pkg.go.dev/github.com/toqueteos/webbrowser) ([MIT](https://github.com/toqueteos/webbrowser/blob/v1.2.0/LICENSE.md))
--- a/licenses/windows.md
+++ b/licenses/windows.md
@@ -13,23 +13,8 @@ Windows][].  See also the dependencies in the [Tailscale CLI][].
 - [github.com/alexbrainman/sspi](https://pkg.go.dev/github.com/alexbrainman/sspi) ([BSD-3-Clause](https://github.com/alexbrainman/sspi/blob/1a75b4708caa/LICENSE))
 - [github.com/apenwarr/fixconsole](https://pkg.go.dev/github.com/apenwarr/fixconsole) ([Apache-2.0](https://github.com/apenwarr/fixconsole/blob/5a9f6489cc29/LICENSE))
 - [github.com/apenwarr/w32](https://pkg.go.dev/github.com/apenwarr/w32) ([BSD-3-Clause](https://github.com/apenwarr/w32/blob/aa00fece76ab/LICENSE))
- - [github.com/aws/aws-sdk-go-v2](https://pkg.go.dev/github.com/aws/aws-sdk-go-v2) ([Apache-2.0](https://github.com/aws/aws-sdk-go-v2/blob/v1.21.0/LICENSE.txt))
- - [github.com/aws/aws-sdk-go-v2/config](https://pkg.go.dev/github.com/aws/aws-sdk-go-v2/config) ([Apache-2.0](https://github.com/aws/aws-sdk-go-v2/blob/config/v1.18.42/config/LICENSE.txt))
- - [github.com/aws/aws-sdk-go-v2/credentials](https://pkg.go.dev/github.com/aws/aws-sdk-go-v2/credentials) ([Apache-2.0](https://github.com/aws/aws-sdk-go-v2/blob/credentials/v1.13.40/credentials/LICENSE.txt))
- - [github.com/aws/aws-sdk-go-v2/feature/ec2/imds](https://pkg.go.dev/github.com/aws/aws-sdk-go-v2/feature/ec2/imds) ([Apache-2.0](https://github.com/aws/aws-sdk-go-v2/blob/feature/ec2/imds/v1.13.11/feature/ec2/imds/LICENSE.txt))
- - [github.com/aws/aws-sdk-go-v2/internal/configsources](https://pkg.go.dev/github.com/aws/aws-sdk-go-v2/internal/configsources) ([Apache-2.0](https://github.com/aws/aws-sdk-go-v2/blob/internal/configsources/v1.1.41/internal/configsources/LICENSE.txt))
- - [github.com/aws/aws-sdk-go-v2/internal/endpoints/v2](https://pkg.go.dev/github.com/aws/aws-sdk-go-v2/internal/endpoints/v2) ([Apache-2.0](https://github.com/aws/aws-sdk-go-v2/blob/internal/endpoints/v2.4.35/internal/endpoints/v2/LICENSE.txt))
- - [github.com/aws/aws-sdk-go-v2/internal/ini](https://pkg.go.dev/github.com/aws/aws-sdk-go-v2/internal/ini) ([Apache-2.0](https://github.com/aws/aws-sdk-go-v2/blob/internal/ini/v1.3.43/internal/ini/LICENSE.txt))
- - [github.com/aws/aws-sdk-go-v2/internal/sync/singleflight](https://pkg.go.dev/github.com/aws/aws-sdk-go-v2/internal/sync/singleflight) ([BSD-3-Clause](https://github.com/aws/aws-sdk-go-v2/blob/v1.21.0/internal/sync/singleflight/LICENSE))
- - [github.com/aws/aws-sdk-go-v2/service/internal/presigned-url](https://pkg.go.dev/github.com/aws/aws-sdk-go-v2/service/internal/presigned-url) ([Apache-2.0](https://github.com/aws/aws-sdk-go-v2/blob/service/internal/presigned-url/v1.9.35/service/internal/presigned-url/LICENSE.txt))
- - [github.com/aws/aws-sdk-go-v2/service/ssm](https://pkg.go.dev/github.com/aws/aws-sdk-go-v2/service/ssm) ([Apache-2.0](https://github.com/aws/aws-sdk-go-v2/blob/service/ssm/v1.38.0/service/ssm/LICENSE.txt))
- - [github.com/aws/aws-sdk-go-v2/service/sso](https://pkg.go.dev/github.com/aws/aws-sdk-go-v2/service/sso) ([Apache-2.0](https://github.com/aws/aws-sdk-go-v2/blob/service/sso/v1.14.1/service/sso/LICENSE.txt))
- - [github.com/aws/aws-sdk-go-v2/service/ssooidc](https://pkg.go.dev/github.com/aws/aws-sdk-go-v2/service/ssooidc) ([Apache-2.0](https://github.com/aws/aws-sdk-go-v2/blob/service/ssooidc/v1.17.1/service/ssooidc/LICENSE.txt))
- - [github.com/aws/aws-sdk-go-v2/service/sts](https://pkg.go.dev/github.com/aws/aws-sdk-go-v2/service/sts) ([Apache-2.0](https://github.com/aws/aws-sdk-go-v2/blob/service/sts/v1.22.0/service/sts/LICENSE.txt))
- - [github.com/aws/smithy-go](https://pkg.go.dev/github.com/aws/smithy-go) ([Apache-2.0](https://github.com/aws/smithy-go/blob/v1.14.2/LICENSE))
- - [github.com/aws/smithy-go/internal/sync/singleflight](https://pkg.go.dev/github.com/aws/smithy-go/internal/sync/singleflight) ([BSD-3-Clause](https://github.com/aws/smithy-go/blob/v1.14.2/internal/sync/singleflight/LICENSE))
 - [github.com/coreos/go-iptables/iptables](https://pkg.go.dev/github.com/coreos/go-iptables/iptables) ([Apache-2.0](https://github.com/coreos/go-iptables/blob/v0.7.0/LICENSE))
- - [github.com/dblohm7/wingoes](https://pkg.go.dev/github.com/dblohm7/wingoes) ([BSD-3-Clause](https://github.com/dblohm7/wingoes/blob/65927751e9eb/LICENSE))
+ - [github.com/dblohm7/wingoes](https://pkg.go.dev/github.com/dblohm7/wingoes) ([BSD-3-Clause](https://github.com/dblohm7/wingoes/blob/e994401fc077/LICENSE))
 - [github.com/fxamacker/cbor/v2](https://pkg.go.dev/github.com/fxamacker/cbor/v2) ([MIT](https://github.com/fxamacker/cbor/blob/v2.5.0/LICENSE))
 - [github.com/golang/groupcache/lru](https://pkg.go.dev/github.com/golang/groupcache/lru) ([Apache-2.0](https://github.com/golang/groupcache/blob/41bb18bfe9da/LICENSE))
 - [github.com/google/btree](https://pkg.go.dev/github.com/google/btree) ([Apache-2.0](https://github.com/google/btree/blob/v1.1.2/LICENSE))
@@ -37,12 +22,11 @@ Windows][].  See also the dependencies in the [Tailscale CLI][].
 - [github.com/google/uuid](https://pkg.go.dev/github.com/google/uuid) ([BSD-3-Clause](https://github.com/google/uuid/blob/v1.3.1/LICENSE))
 - [github.com/gregjones/httpcache](https://pkg.go.dev/github.com/gregjones/httpcache) ([MIT](https://github.com/gregjones/httpcache/blob/901d90724c79/LICENSE.txt))
 - [github.com/hdevalence/ed25519consensus](https://pkg.go.dev/github.com/hdevalence/ed25519consensus) ([BSD-3-Clause](https://github.com/hdevalence/ed25519consensus/blob/v0.1.0/LICENSE))
- - [github.com/jmespath/go-jmespath](https://pkg.go.dev/github.com/jmespath/go-jmespath) ([Apache-2.0](https://github.com/jmespath/go-jmespath/blob/v0.4.0/LICENSE))
 - [github.com/josharian/native](https://pkg.go.dev/github.com/josharian/native) ([MIT](https://github.com/josharian/native/blob/5c7d0dd6ab86/license))
 - [github.com/jsimonetti/rtnetlink](https://pkg.go.dev/github.com/jsimonetti/rtnetlink) ([MIT](https://github.com/jsimonetti/rtnetlink/blob/v1.3.5/LICENSE.md))
- - [github.com/klauspost/compress](https://pkg.go.dev/github.com/klauspost/compress) ([Apache-2.0](https://github.com/klauspost/compress/blob/v1.17.4/LICENSE))
- - [github.com/klauspost/compress/internal/snapref](https://pkg.go.dev/github.com/klauspost/compress/internal/snapref) ([BSD-3-Clause](https://github.com/klauspost/compress/blob/v1.17.4/internal/snapref/LICENSE))
- - [github.com/klauspost/compress/zstd/internal/xxhash](https://pkg.go.dev/github.com/klauspost/compress/zstd/internal/xxhash) ([MIT](https://github.com/klauspost/compress/blob/v1.17.4/zstd/internal/xxhash/LICENSE.txt))
+ - [github.com/klauspost/compress](https://pkg.go.dev/github.com/klauspost/compress) ([Apache-2.0](https://github.com/klauspost/compress/blob/v1.17.0/LICENSE))
+ - [github.com/klauspost/compress/internal/snapref](https://pkg.go.dev/github.com/klauspost/compress/internal/snapref) ([BSD-3-Clause](https://github.com/klauspost/compress/blob/v1.17.0/internal/snapref/LICENSE))
+ - [github.com/klauspost/compress/zstd/internal/xxhash](https://pkg.go.dev/github.com/klauspost/compress/zstd/internal/xxhash) ([MIT](https://github.com/klauspost/compress/blob/v1.17.0/zstd/internal/xxhash/LICENSE.txt))
 - [github.com/mdlayher/netlink](https://pkg.go.dev/github.com/mdlayher/netlink) ([MIT](https://github.com/mdlayher/netlink/blob/v1.7.2/LICENSE.md))
 - [github.com/mdlayher/socket](https://pkg.go.dev/github.com/mdlayher/socket) ([MIT](https://github.com/mdlayher/socket/blob/v0.5.0/LICENSE.md))
 - [github.com/miekg/dns](https://pkg.go.dev/github.com/miekg/dns) ([BSD-3-Clause](https://github.com/miekg/dns/blob/v1.1.56/LICENSE))
@@ -52,8 +36,8 @@ Windows][].  See also the dependencies in the [Tailscale CLI][].
 - [github.com/skip2/go-qrcode](https://pkg.go.dev/github.com/skip2/go-qrcode) ([MIT](https://github.com/skip2/go-qrcode/blob/da1b6568686e/LICENSE))
 - [github.com/tailscale/go-winio](https://pkg.go.dev/github.com/tailscale/go-winio) ([MIT](https://github.com/tailscale/go-winio/blob/c4f33415bf55/LICENSE))
 - [github.com/tailscale/netlink](https://pkg.go.dev/github.com/tailscale/netlink) ([Apache-2.0](https://github.com/tailscale/netlink/blob/cabfb018fe85/LICENSE))
- - [github.com/tailscale/walk](https://pkg.go.dev/github.com/tailscale/walk) ([BSD-3-Clause](https://github.com/tailscale/walk/blob/95b7e17614b9/LICENSE))
- - [github.com/tailscale/win](https://pkg.go.dev/github.com/tailscale/win) ([BSD-3-Clause](https://github.com/tailscale/win/blob/d2e5cdeed6dc/LICENSE))
+ - [github.com/tailscale/walk](https://pkg.go.dev/github.com/tailscale/walk) ([BSD-3-Clause](https://github.com/tailscale/walk/blob/dff4ed649e49/LICENSE))
+ - [github.com/tailscale/win](https://pkg.go.dev/github.com/tailscale/win) ([BSD-3-Clause](https://github.com/tailscale/win/blob/84569fd814a9/LICENSE))
 - [github.com/tc-hib/winres](https://pkg.go.dev/github.com/tc-hib/winres) ([0BSD](https://github.com/tc-hib/winres/blob/v0.2.1/LICENSE))
 - [github.com/vishvananda/netlink/nl](https://pkg.go.dev/github.com/vishvananda/netlink/nl) ([Apache-2.0](https://github.com/vishvananda/netlink/blob/v1.2.1-beta.2/LICENSE))
 - [github.com/vishvananda/netns](https://pkg.go.dev/github.com/vishvananda/netns) ([Apache-2.0](https://github.com/vishvananda/netns/blob/v0.0.4/LICENSE))
--- a/net/dns/resolver/forwarder.go
+++ b/net/dns/resolver/forwarder.go
@@ -460,10 +460,6 @@ func (f *forwarder) sendDoH(ctx context.Context, urlBase string, c *http.Client,
 var (
 	verboseDNSForward = envknob.RegisterBool("TS_DEBUG_DNS_FORWARD_SEND")
 	skipTCPRetry      = envknob.RegisterBool("TS_DNS_FORWARD_SKIP_TCP_RETRY")
-
-	// For correlating log messages in the send() function; only used when
-	// verboseDNSForward() is true.
-	forwarderCount atomic.Uint64
 )

 // send sends packet to dst. It is best effort.
@@ -471,10 +467,9 @@ var (
 // send expects the reply to have the same txid as txidOut.
 func (f *forwarder) send(ctx context.Context, fq *forwardQuery, rr resolverAndDelay) (ret []byte, err error) {
 	if verboseDNSForward() {
-		id := forwarderCount.Add(1)
-		f.logf("forwarder.send(%q) [%d] ...", rr.name.Addr, id)
+		f.logf("forwarder.send(%q) ...", rr.name.Addr)
 		defer func() {
-			f.logf("forwarder.send(%q) [%d] = %v, %v", rr.name.Addr, id, len(ret), err)
+			f.logf("forwarder.send(%q) = %v, %v", rr.name.Addr, len(ret), err)
 		}()
 	}
 	if strings.HasPrefix(rr.name.Addr, "http://") {
--- a/net/interfaces/defaultroute_bsd.go
+++ b/net/interfaces/defaultroute_bsd.go
@@ -1,26 +0,0 @@
-// Copyright (c) Tailscale Inc & AUTHORS
-// SPDX-License-Identifier: BSD-3-Clause
-
-// Common code for FreeBSD and Darwin. This might also work on other
-// BSD systems (e.g. OpenBSD) but has not been tested.
-// Not used on iOS. See defaultroute_ios.go.
-
-//go:build !ios && (darwin || freebsd)
-
-package interfaces
-
-import "net"
-
-func defaultRoute() (d DefaultRouteDetails, err error) {
-	idx, err := DefaultRouteInterfaceIndex()
-	if err != nil {
-		return d, err
-	}
-	iface, err := net.InterfaceByIndex(idx)
-	if err != nil {
-		return d, err
-	}
-	d.InterfaceName = iface.Name
-	d.InterfaceIndex = idx
-	return d, nil
-}
--- a/net/interfaces/defaultroute_ios.go
+++ b/net/interfaces/defaultroute_ios.go
@@ -1,108 +0,0 @@
-// Copyright (c) Tailscale Inc & AUTHORS
-// SPDX-License-Identifier: BSD-3-Clause
-
-//go:build ios
-
-package interfaces
-
-import (
-	"log"
-
-	"tailscale.com/syncs"
-)
-
-var (
-	lastKnownDefaultRouteIfName syncs.AtomicValue[string]
-)
-
-// UpdateLastKnownDefaultRouteInterface is called by ipn-go-bridge in the iOS app when
-// our NWPathMonitor instance detects a network path transition.
-func UpdateLastKnownDefaultRouteInterface(ifName string) {
-	if ifName == "" {
-		return
-	}
-	lastKnownDefaultRouteIfName.Store(ifName)
-	log.Printf("defaultroute_ios: update from Swift, ifName = %s", ifName)
-}
-
-func defaultRoute() (d DefaultRouteDetails, err error) {
-	// We cannot rely on the delegated interface data on iOS. The NetworkExtension framework
-	// seems to set the delegate interface only once, upon the *creation* of the VPN tunnel.
-	// If a network transition (e.g. from Wi-Fi to Cellular) happens while the tunnel is
-	// connected, it will be ignored and we will still try to set Wi-Fi as the default route
-	// because the delegated interface is not updated by the NetworkExtension framework.
-	//
-	// We work around this on the Swift side with a NWPathMonitor instance that observes
-	// the interface name of the first currently satisfied network path. Our Swift code will
-	// call into `UpdateLastKnownDefaultRouteInterface`, so we can rely on that when it is set.
-	//
-	// If for any reason the Swift machinery didn't work and we don't get any updates, here
-	// we also have some fallback logic: we try finding a hardcoded Wi-Fi interface called en0.
-	// If en0 is down, we fall back to cellular (pdp_ip0) as a last resort. This doesn't handle
-	// all edge cases like USB-Ethernet adapters or multiple Ethernet interfaces, but is good
-	// enough to ensure connectivity isn't broken.
-
-	// Start by getting all available interfaces.
-	interfaces, err := netInterfaces()
-	if err != nil {
-		log.Printf("defaultroute_ios: could not get interfaces: %v", err)
-		return d, ErrNoGatewayIndexFound
-	}
-
-	getInterfaceByName := func(name string) *Interface {
-		for _, ifc := range interfaces {
-			if ifc.Name != name {
-				continue
-			}
-
-			if !ifc.IsUp() {
-				log.Println("defaultroute_ios: %s is down", name)
-				return nil
-			}
-
-			addrs, _ := ifc.Addrs()
-			if len(addrs) == 0 {
-				log.Println("defaultroute_ios: %s has no addresses", name)
-				return nil
-			}
-			return &ifc
-		}
-		return nil
-	}
-
-	// Did Swift set lastKnownDefaultRouteInterface? If so, we should use it and don't bother
-	// with anything else. However, for sanity, do check whether Swift gave us with an interface
-	// that exists, is up, and has an address.
-	if swiftIfName := lastKnownDefaultRouteIfName.Load(); swiftIfName != "" {
-		ifc := getInterfaceByName(swiftIfName)
-		if ifc != nil {
-			log.Printf("defaultroute_ios: using %s (provided by Swift)", ifc.Name)
-			d.InterfaceName = ifc.Name
-			d.InterfaceIndex = ifc.Index
-			return d, nil
-		}
-	}
-
-	// Start of our fallback logic if Swift didn't give us an interface name, or gave us an invalid
-	// one.
-	// We start by attempting to use the Wi-Fi interface, which on iPhone is always called en0.
-	enZeroIf := getInterfaceByName("en0")
-	if enZeroIf != nil {
-		log.Println("defaultroute_ios: using en0 (fallback)")
-		d.InterfaceName = enZeroIf.Name
-		d.InterfaceIndex = enZeroIf.Index
-		return d, nil
-	}
-
-	// Did it not work? Let's try with Cellular (pdp_ip0).
-	cellIf := getInterfaceByName("pdp_ip0")
-	if cellIf != nil {
-		log.Println("defaultroute_ios: using pdp_ip0 (fallback)")
-		d.InterfaceName = cellIf.Name
-		d.InterfaceIndex = cellIf.Index
-		return d, nil
-	}
-
-	log.Println("defaultroute_ios: no running interfaces available")
-	return d, ErrNoGatewayIndexFound
-}
--- a/net/interfaces/interfaces_bsd.go
+++ b/net/interfaces/interfaces_bsd.go
@@ -12,6 +12,7 @@ import (
 	"errors"
 	"fmt"
 	"log"
+	"net"
 	"net/netip"
 	"syscall"

@@ -20,6 +21,20 @@ import (
 	"tailscale.com/net/netaddr"
 )

+func defaultRoute() (d DefaultRouteDetails, err error) {
+	idx, err := DefaultRouteInterfaceIndex()
+	if err != nil {
+		return d, err
+	}
+	iface, err := net.InterfaceByIndex(idx)
+	if err != nil {
+		return d, err
+	}
+	d.InterfaceName = iface.Name
+	d.InterfaceIndex = idx
+	return d, nil
+}
+
 // ErrNoGatewayIndexFound is returned by DefaultRouteInterfaceIndex when no
 // default route is found.
 var ErrNoGatewayIndexFound = errors.New("no gateway index found")
--- a/net/netutil/routes.go
+++ b/net/netutil/routes.go
@@ -29,12 +29,11 @@ func validateViaPrefix(ipp netip.Prefix) error {
 	// The first 64 bits of a are the via prefix.
 	// The next 32 bits are the "site ID".
 	// The last 32 bits are the IPv4.
-	//
-	// We used to only allow advertising site IDs from 0-255, but we have
-	// since relaxed this (as of 2024-01) to allow IDs from 0-65535.
+	// For now, we reserve the top 3 bytes of the site ID,
+	// and only allow users to use site IDs 0-255.
 	siteID := binary.BigEndian.Uint32(a[8:12])
-	if siteID > 0xFFFF {
-		return fmt.Errorf("route %v contains invalid site ID %08x; must be 0xffff or less", ipp, siteID)
+	if siteID > 0xFF {
+		return fmt.Errorf("route %v contains invalid site ID %08x; must be 0xff or less", ipp, siteID)
 	}
 	return nil
 }
--- a/net/stunserver/stunserver.go
+++ b/net/stunserver/stunserver.go
@@ -1,126 +0,0 @@
-// Copyright (c) Tailscale Inc & AUTHORS
-// SPDX-License-Identifier: BSD-3-Clause
-
-// Package stunserver implements a STUN server. The package publishes a number of stats
-// to expvar under the top level label "stun". Logs are sent to the standard log package.
-package stunserver
-
-import (
-	"context"
-	"errors"
-	"expvar"
-	"io"
-	"log"
-	"net"
-	"net/netip"
-	"time"
-
-	"tailscale.com/metrics"
-	"tailscale.com/net/stun"
-)
-
-var (
-	stats           = new(metrics.Set)
-	stunDisposition = &metrics.LabelMap{Label: "disposition"}
-	stunAddrFamily  = &metrics.LabelMap{Label: "family"}
-	stunReadError   = stunDisposition.Get("read_error")
-	stunNotSTUN     = stunDisposition.Get("not_stun")
-	stunWriteError  = stunDisposition.Get("write_error")
-	stunSuccess     = stunDisposition.Get("success")
-
-	stunIPv4 = stunAddrFamily.Get("ipv4")
-	stunIPv6 = stunAddrFamily.Get("ipv6")
-)
-
-func init() {
-	stats.Set("counter_requests", stunDisposition)
-	stats.Set("counter_addrfamily", stunAddrFamily)
-	expvar.Publish("stun", stats)
-}
-
-type STUNServer struct {
-	ctx context.Context // ctx signals service shutdown
-	pc  *net.UDPConn    // pc is the UDP listener
-}
-
-// New creates a new STUN server. The server is shutdown when ctx is done.
-func New(ctx context.Context) *STUNServer {
-	return &STUNServer{ctx: ctx}
-}
-
-// Listen binds the listen socket for the server at listenAddr.
-func (s *STUNServer) Listen(listenAddr string) error {
-	uaddr, err := net.ResolveUDPAddr("udp", listenAddr)
-	if err != nil {
-		return err
-	}
-	s.pc, err = net.ListenUDP("udp", uaddr)
-	if err != nil {
-		return err
-	}
-	log.Printf("STUN server listening on %v", s.LocalAddr())
-	// close the listener on shutdown in order to break out of the read loop
-	go func() {
-		<-s.ctx.Done()
-		s.pc.Close()
-	}()
-	return nil
-}
-
-// Serve starts serving responses to STUN requests. Listen must be called before Serve.
-func (s *STUNServer) Serve() error {
-	var buf [64 << 10]byte
-	var (
-		n   int
-		ua  *net.UDPAddr
-		err error
-	)
-	for {
-		n, ua, err = s.pc.ReadFromUDP(buf[:])
-		if err != nil {
-			if errors.Is(err, io.EOF) || errors.Is(err, net.ErrClosed) {
-				return nil
-			}
-			log.Printf("STUN ReadFrom: %v", err)
-			time.Sleep(time.Second)
-			stunReadError.Add(1)
-			continue
-		}
-		pkt := buf[:n]
-		if !stun.Is(pkt) {
-			stunNotSTUN.Add(1)
-			continue
-		}
-		txid, err := stun.ParseBindingRequest(pkt)
-		if err != nil {
-			stunNotSTUN.Add(1)
-			continue
-		}
-		if ua.IP.To4() != nil {
-			stunIPv4.Add(1)
-		} else {
-			stunIPv6.Add(1)
-		}
-		addr, _ := netip.AddrFromSlice(ua.IP)
-		res := stun.Response(txid, netip.AddrPortFrom(addr, uint16(ua.Port)))
-		_, err = s.pc.WriteTo(res, ua)
-		if err != nil {
-			stunWriteError.Add(1)
-		} else {
-			stunSuccess.Add(1)
-		}
-	}
-}
-
-// ListenAndServe starts the STUN server on listenAddr.
-func (s *STUNServer) ListenAndServe(listenAddr string) error {
-	if err := s.Listen(listenAddr); err != nil {
-		return err
-	}
-	return s.Serve()
-}
-
-// LocalAddr returns the local address of the STUN server. It must not be called before ListenAndServe.
-func (s *STUNServer) LocalAddr() net.Addr {
-	return s.pc.LocalAddr()
-}
--- a/net/stunserver/stunserver_test.go
+++ b/net/stunserver/stunserver_test.go
@@ -1,88 +0,0 @@
-// Copyright (c) Tailscale Inc & AUTHORS
-// SPDX-License-Identifier: BSD-3-Clause
-
-package stunserver
-
-import (
-	"context"
-	"net"
-	"sync"
-	"testing"
-	"time"
-
-	"tailscale.com/net/stun"
-	"tailscale.com/util/must"
-)
-
-func TestSTUNServer(t *testing.T) {
-	ctx, cancel := context.WithCancel(context.Background())
-	defer cancel()
-	s := New(ctx)
-	must.Do(s.Listen("localhost:0"))
-	var w sync.WaitGroup
-	w.Add(1)
-	var serveErr error
-	go func() {
-		defer w.Done()
-		serveErr = s.Serve()
-	}()
-
-	c := must.Get(net.DialUDP("udp", nil, s.LocalAddr().(*net.UDPAddr)))
-	defer c.Close()
-	c.SetDeadline(time.Now().Add(5 * time.Second))
-	txid := stun.NewTxID()
-	_, err := c.Write(stun.Request(txid))
-	if err != nil {
-		t.Fatalf("failed to write STUN request: %v", err)
-	}
-	var buf [64 << 10]byte
-	n, err := c.Read(buf[:])
-	if err != nil {
-		t.Fatalf("failed to read STUN response: %v", err)
-	}
-	if !stun.Is(buf[:n]) {
-		t.Fatalf("response is not STUN")
-	}
-	tid, _, err := stun.ParseResponse(buf[:n])
-	if err != nil {
-		t.Fatalf("failed to parse STUN response: %v", err)
-	}
-	if tid != txid {
-		t.Fatalf("STUN response has wrong transaction ID; got %d, want %d", tid, txid)
-	}
-
-	cancel()
-	w.Wait()
-	if serveErr != nil {
-		t.Fatalf("failed to listen and serve: %v", serveErr)
-	}
-}
-
-func BenchmarkServerSTUN(b *testing.B) {
-	b.ReportAllocs()
-	ctx, cancel := context.WithCancel(context.Background())
-	defer cancel()
-
-	s := New(ctx)
-	s.Listen("localhost:0")
-	go s.Serve()
-	addr := s.LocalAddr().(*net.UDPAddr)
-
-	var resBuf [1500]byte
-	cc, err := net.ListenUDP("udp", &net.UDPAddr{IP: net.ParseIP("127.0.0.1")})
-	if err != nil {
-		b.Fatal(err)
-	}
-
-	tx := stun.NewTxID()
-	req := stun.Request(tx)
-	for i := 0; i < b.N; i++ {
-		if _, err := cc.WriteToUDP(req, addr); err != nil {
-			b.Fatal(err)
-		}
-		_, _, err := cc.ReadFromUDP(resBuf[:])
-		if err != nil {
-			b.Fatal(err)
-		}
-	}
-}
--- a/ssh/tailssh/tailssh.go
+++ b/ssh/tailssh/tailssh.go
@@ -254,7 +254,7 @@ func (c *conn) vlogf(format string, args ...any) {

 // isAuthorized walks through the action chain and returns nil if the connection
 // is authorized. If the connection is not authorized, it returns
-// errDenied. If the action chain resolution fails, it returns the
+// gossh.ErrDenied. If the action chain resolution fails, it returns the
 // resolution error.
 func (c *conn) isAuthorized(ctx ssh.Context) error {
 	action := c.currentAction
@@ -266,7 +266,7 @@ func (c *conn) isAuthorized(ctx ssh.Context) error {
 			return nil
 		}
 		if action.Reject || action.HoldAndDelegate == "" {
-			return errDenied
+			return gossh.ErrDenied
 		}
 		var err error
 		action, err = c.resolveNextAction(ctx)
@@ -281,10 +281,6 @@ func (c *conn) isAuthorized(ctx ssh.Context) error {
 	}
 }

-// errDenied is returned by auth callbacks when a connection is denied by the
-// policy.
-var errDenied = errors.New("ssh: access denied")
-
 // errPubKeyRequired is returned by NoClientAuthCallback to make the client
 // resort to public-key auth; not user visible.
 var errPubKeyRequired = errors.New("ssh publickey required")
@@ -297,7 +293,7 @@ var errPubKeyRequired = errors.New("ssh publickey required")
 // starting it afresh). It returns an error if the policy evaluation fails, or
 // if the decision is "reject"
 //
-// It either returns nil (accept) or errPubKeyRequired or errDenied
+// It either returns nil (accept) or errPubKeyRequired or gossh.ErrDenied
 // (reject). The errors may be wrapped.
 func (c *conn) NoClientAuthCallback(ctx ssh.Context) error {
 	if c.insecureSkipTailscaleAuth {
@@ -364,18 +360,18 @@ func (c *conn) PublicKeyHandler(ctx ssh.Context, pubKey ssh.PublicKey) error {
 // pubKey. It returns nil if the matching policy action is Accept or
 // HoldAndDelegate. If pubKey is nil, there was no policy match but there is a
 // policy that might match a public key it returns errPubKeyRequired. Otherwise,
-// it returns errDenied.
+// it returns gossh.ErrDenied.
 func (c *conn) doPolicyAuth(ctx ssh.Context, pubKey ssh.PublicKey) error {
 	if err := c.setInfo(ctx); err != nil {
 		c.logf("failed to get conninfo: %v", err)
-		return errDenied
+		return gossh.ErrDenied
 	}
 	a, localUser, err := c.evaluatePolicy(pubKey)
 	if err != nil {
 		if pubKey == nil && c.havePubKeyPolicy() {
 			return errPubKeyRequired
 		}
-		return fmt.Errorf("%w: %v", errDenied, err)
+		return fmt.Errorf("%w: %v", gossh.ErrDenied, err)
 	}
 	c.action0 = a
 	c.currentAction = a
@@ -406,10 +402,10 @@ func (c *conn) doPolicyAuth(ctx ssh.Context, pubKey ssh.PublicKey) error {
 	}
 	if a.Reject {
 		c.finalAction = a
-		return errDenied
+		return gossh.ErrDenied
 	}
 	// Shouldn't get here, but:
-	return errDenied
+	return gossh.ErrDenied
 }

 // ServerConfig implements ssh.ServerConfigCallback.
@@ -427,7 +423,7 @@ func (srv *server) newConn() (*conn, error) {
 		// Stop accepting new connections.
 		// Connections in the auth phase are handled in handleConnPostSSHAuth.
 		// Existing sessions are terminated by Shutdown.
-		return nil, errDenied
+		return nil, gossh.ErrDenied
 	}
 	srv.mu.Unlock()
 	c := &conn{srv: srv}
--- a/tailcfg/tailcfg.go
+++ b/tailcfg/tailcfg.go
@@ -124,9 +124,7 @@ type CapabilityVersion int
 //   - 81: 2023-11-17: MapResponse.PacketFilters (incremental packet filter updates)
 //   - 82: 2023-12-01: Client understands NodeAttrLinuxMustUseIPTables, NodeAttrLinuxMustUseNfTables, c2n /netfilter-kind
 //   - 83: 2023-12-18: Client understands DefaultAutoUpdate
-//   - 84: 2024-01-04: Client understands SeamlessKeyRenewal
-//   - 85: 2024-01-05: Client understands MaxKeyDuration
-const CurrentCapabilityVersion CapabilityVersion = 85
+const CurrentCapabilityVersion CapabilityVersion = 83

 type StableID string

@@ -1887,10 +1885,6 @@ type MapResponse struct {
 	// auto-update setting doesn't change if the tailnet admin flips the
 	// default after the node registered.
 	DefaultAutoUpdate opt.Bool `json:",omitempty"`
-
-	// MaxKeyDuration describes the MaxKeyDuration setting for the tailnet.
-	// If zero, the value is unchanged.
-	MaxKeyDuration time.Duration `json:",omitempty"`
 }

 // ClientVersion is information about the latest client version that's available
@@ -2196,10 +2190,6 @@ const (
 	// netfilter management.
 	// This cannot be set simultaneously with NodeAttrLinuxMustUseIPTables.
 	NodeAttrLinuxMustUseNfTables NodeCapability = "linux-netfilter?v=nftables"
-
-	// NodeAttrSeamlessKeyRenewal makes clients enable beta functionality
-	// of renewing node keys without breaking connections.
-	NodeAttrSeamlessKeyRenewal NodeCapability = "seamless-key-renewal"
 )

 // SetDNSRequest is a request to add a DNS record.
--- a/taildrop/resume.go
+++ b/taildrop/resume.go
@@ -64,6 +64,9 @@ func (m *Manager) PartialFiles(id ClientID) (ret []string, err error) {
 	if m == nil || m.opts.Dir == "" {
 		return nil, ErrNoTaildrop
 	}
+	if m.opts.DirectFileMode && m.opts.AvoidFinalRename {
+		return nil, nil // resuming is not supported for users that peek at our file structure
+	}

 	suffix := id.partialSuffix()
 	if err := rangeDir(m.opts.Dir, func(de fs.DirEntry) bool {
@@ -87,6 +90,9 @@ func (m *Manager) HashPartialFile(id ClientID, baseName string) (next func() (Bl
 	}
 	noopNext := func() (BlockChecksum, error) { return BlockChecksum{}, io.EOF }
 	noopClose := func() error { return nil }
+	if m.opts.DirectFileMode && m.opts.AvoidFinalRename {
+		return noopNext, noopClose, nil // resuming is not supported for users that peek at our file structure
+	}

 	dstFile, err := joinDir(m.opts.Dir, baseName)
 	if err != nil {
--- a/taildrop/send.go
+++ b/taildrop/send.go
@@ -31,7 +31,6 @@ type incomingFile struct {
 	w              io.Writer // underlying writer
 	sendFileNotify func()    // called when done
 	partialPath    string    // non-empty in direct mode
-	finalPath      string    // not used in direct mode

 	mu         sync.Mutex
 	copied     int64
@@ -93,6 +92,13 @@ func (m *Manager) PutFile(id ClientID, baseName string, r io.Reader, offset, len
 		return err
 	}

+	avoidPartialRename := m.opts.DirectFileMode && m.opts.AvoidFinalRename
+	if avoidPartialRename {
+		// Users using AvoidFinalRename are depending on the exact filename
+		// of the partial files. So avoid injecting the id into it.
+		id = ""
+	}
+
 	// Check whether there is an in-progress transfer for the file.
 	partialPath := dstPath + id.partialSuffix()
 	inFileKey := incomingFileKey{id, baseName}
@@ -105,7 +111,6 @@ func (m *Manager) PutFile(id ClientID, baseName string, r io.Reader, offset, len
 		}
 		if m.opts.DirectFileMode {
 			inFile.partialPath = partialPath
-			inFile.finalPath = dstPath
 		}
 		return inFile
 	})
@@ -123,6 +128,10 @@ func (m *Manager) PutFile(id ClientID, baseName string, r io.Reader, offset, len
 	defer func() {
 		f.Close() // best-effort to cleanup dangling file handles
 		if err != nil {
+			if avoidPartialRename {
+				os.Remove(partialPath) // best-effort
+				return
+			}
 			m.deleter.Insert(filepath.Base(partialPath)) // mark partial file for eventual deletion
 		}
 	}()
@@ -170,9 +179,16 @@ func (m *Manager) PutFile(id ClientID, baseName string, r io.Reader, offset, len
 	}
 	fileLength := offset + copyLength

-	inFile.mu.Lock()
-	inFile.done = true
-	inFile.mu.Unlock()
+	// Return early for avoidPartialRename since users of AvoidFinalRename
+	// are depending on the exact naming of partial files.
+	if avoidPartialRename {
+		inFile.mu.Lock()
+		inFile.done = true
+		inFile.mu.Unlock()
+		m.totalReceived.Add(1)
+		m.opts.SendFileNotify()
+		return fileLength, nil
+	}

 	// File has been successfully received, rename the partial file
 	// to the final destination filename. If a file of that name already exists,
@@ -205,10 +221,6 @@ func (m *Manager) PutFile(id ClientID, baseName string, r io.Reader, offset, len
 		}

 		// Avoid the final rename if a destination file has the same contents.
-		//
-		// Note: this is best effort and copying files from iOS from the Media Library
-		// results in processing on the iOS side which means the size and shas of the
-		// same file can be different.
 		if dstLength == fileLength {
 			partialSum, err := computePartialSum()
 			if err != nil {
@@ -228,7 +240,6 @@ func (m *Manager) PutFile(id ClientID, baseName string, r io.Reader, offset, len

 		// Choose a new destination filename and try again.
 		dstPath = NextFilename(dstPath)
-		inFile.finalPath = dstPath
 	}
 	if maxRetries <= 0 {
 		return 0, errors.New("too many retries trying to rename partial file")
--- a/taildrop/taildrop.go
+++ b/taildrop/taildrop.go
@@ -90,6 +90,15 @@ type ManagerOptions struct {
 	// copy them out, and then delete them.
 	DirectFileMode bool

+	// AvoidFinalRename specifies whether in DirectFileMode
+	// we should avoid renaming "foo.jpg.partial" to "foo.jpg" after reception.
+	//
+	// TODO(joetsai,rhea): Delete this. This is currently depended upon
+	// in the Apple platforms since it violates the abstraction layer
+	// and directly assumes how taildrop represents partial files.
+	// Right now, file resumption does not work on Apple.
+	AvoidFinalRename bool
+
 	// SendFileNotify is called periodically while a file is actively
 	// receiving the contents for the file. There is a final call
 	// to the function when reception completes.
@@ -160,7 +169,7 @@ func validFilenameRune(r rune) bool {
 		// sent.
 		return false
 	}
-	return unicode.IsGraphic(r)
+	return unicode.IsPrint(r)
 }

 func isPartialOrDeleted(s string) bool {
@@ -235,7 +244,6 @@ func (m *Manager) IncomingFiles() []ipn.PartialFile {
 			DeclaredSize: f.size,
 			Received:     f.copied,
 			PartialPath:  f.partialPath,
-			FinalPath:    f.finalPath,
 			Done:         f.done,
 		})
 		return true
--- a/taildrop/taildrop_test.go
+++ b/taildrop/taildrop_test.go
@@ -55,7 +55,6 @@ func TestNextFilename(t *testing.T) {
 		{"my song.mp3", "my song (1).mp3", "my song (2).mp3"},
 		{"archive.7z", "archive (1).7z", "archive (2).7z"},
 		{"foo/bar/fizz", "foo/bar/fizz (1)", "foo/bar/fizz (2)"},
-		{"新完全マスター　N2　文法.pdf", "新完全マスター　N2　文法 (1).pdf", "新完全マスター　N2　文法 (2).pdf"},
 	}

 	for _, tt := range tests {
--- a/tsnet/tsnet.go
+++ b/tsnet/tsnet.go
@@ -546,13 +546,7 @@ func (s *Server) start() (reterr error) {
 		return ok
 	}
 	s.dialer.NetstackDialTCP = func(ctx context.Context, dst netip.AddrPort) (net.Conn, error) {
-		// Note: don't just return ns.DialContextTCP or we'll
-		// return an interface containing a nil pointer.
-		tcpConn, err := ns.DialContextTCP(ctx, dst)
-		if err != nil {
-			return nil, err
-		}
-		return tcpConn, nil
+		return ns.DialContextTCP(ctx, dst)
 	}

 	if s.Store == nil {
--- a/tstest/integration/integration_test.go
+++ b/tstest/integration/integration_test.go
@@ -29,7 +29,6 @@ import (
 	"time"

 	"go4.org/mem"
-	"tailscale.com/clientupdate"
 	"tailscale.com/cmd/testwrapper/flakytest"
 	"tailscale.com/ipn"
 	"tailscale.com/ipn/ipnlocal"
@@ -42,7 +41,6 @@ import (
 	"tailscale.com/tstest/integration/testcontrol"
 	"tailscale.com/types/key"
 	"tailscale.com/types/logger"
-	"tailscale.com/types/opt"
 	"tailscale.com/types/ptr"
 	"tailscale.com/util/must"
 	"tailscale.com/util/rands"
@@ -874,99 +872,6 @@ func TestLogoutRemovesAllPeers(t *testing.T) {
 	wantNode0PeerCount(expectedPeers) // all existing peers and the new node
 }

-func TestAutoUpdateDefaults(t *testing.T) {
-	if !clientupdate.CanAutoUpdate() {
-		t.Skip("auto-updates not supported on this platform")
-	}
-	tstest.Shard(t)
-	tstest.Parallel(t)
-	env := newTestEnv(t)
-
-	checkDefault := func(n *testNode, want bool) error {
-		enabled, ok := n.diskPrefs().AutoUpdate.Apply.Get()
-		if !ok {
-			return fmt.Errorf("auto-update for node is unset, should be set as %v", want)
-		}
-		if enabled != want {
-			return fmt.Errorf("auto-update for node is %v, should be set as %v", enabled, want)
-		}
-		return nil
-	}
-
-	sendAndCheckDefault := func(t *testing.T, n *testNode, send, want bool) {
-		t.Helper()
-		if !env.Control.AddRawMapResponse(n.MustStatus().Self.PublicKey, &tailcfg.MapResponse{
-			DefaultAutoUpdate: opt.NewBool(send),
-		}) {
-			t.Fatal("failed to send MapResponse to node")
-		}
-		if err := tstest.WaitFor(2*time.Second, func() error {
-			return checkDefault(n, want)
-		}); err != nil {
-			t.Fatal(err)
-		}
-	}
-
-	tests := []struct {
-		desc string
-		run  func(t *testing.T, n *testNode)
-	}{
-		{
-			desc: "tailnet-default-false",
-			run: func(t *testing.T, n *testNode) {
-				// First received default "false".
-				sendAndCheckDefault(t, n, false, false)
-				// Should not be changed even if sent "true" later.
-				sendAndCheckDefault(t, n, true, false)
-				// But can be changed explicitly by the user.
-				if out, err := n.Tailscale("set", "--auto-update").CombinedOutput(); err != nil {
-					t.Fatalf("failed to enable auto-update on node: %v\noutput: %s", err, out)
-				}
-				sendAndCheckDefault(t, n, false, true)
-			},
-		},
-		{
-			desc: "tailnet-default-true",
-			run: func(t *testing.T, n *testNode) {
-				// First received default "true".
-				sendAndCheckDefault(t, n, true, true)
-				// Should not be changed even if sent "false" later.
-				sendAndCheckDefault(t, n, false, true)
-				// But can be changed explicitly by the user.
-				if out, err := n.Tailscale("set", "--auto-update=false").CombinedOutput(); err != nil {
-					t.Fatalf("failed to disable auto-update on node: %v\noutput: %s", err, out)
-				}
-				sendAndCheckDefault(t, n, true, false)
-			},
-		},
-		{
-			desc: "user-sets-first",
-			run: func(t *testing.T, n *testNode) {
-				// User sets auto-update first, before receiving defaults.
-				if out, err := n.Tailscale("set", "--auto-update=false").CombinedOutput(); err != nil {
-					t.Fatalf("failed to disable auto-update on node: %v\noutput: %s", err, out)
-				}
-				// Defaults sent from control should be ignored.
-				sendAndCheckDefault(t, n, true, false)
-				sendAndCheckDefault(t, n, false, false)
-			},
-		},
-	}
-	for _, tt := range tests {
-		t.Run(tt.desc, func(t *testing.T) {
-			n := newTestNode(t, env)
-			d := n.StartDaemon()
-			defer d.MustCleanShutdown(t)
-
-			n.AwaitResponding()
-			n.MustUp()
-			n.AwaitRunning()
-
-			tt.run(t, n)
-		})
-	}
-}
-
 // testEnv contains the test environment (set of servers) used by one
 // or more nodes.
 type testEnv struct {
--- a/types/netmap/netmap.go
+++ b/types/netmap/netmap.go
@@ -75,9 +75,6 @@ type NetworkMap struct {
 	DomainAuditLogID string

 	UserProfiles map[tailcfg.UserID]tailcfg.UserProfile
-
-	// MaxKeyDuration describes the MaxKeyDuration setting for the tailnet.
-	MaxKeyDuration time.Duration
 }

 // User returns nm.SelfNode.User if nm.SelfNode is non-nil, otherwise it returns
--- a/types/netmap/nodemut.go
+++ b/types/netmap/nodemut.go
@@ -177,6 +177,5 @@ func mapResponseContainsNonPatchFields(res *tailcfg.MapResponse) bool {
 		// function is called, so it should never be set anyway. But for
 		// completedness, and for tests, check it too:
 		res.PeersChanged != nil ||
-		res.DefaultAutoUpdate != "" ||
-		res.MaxKeyDuration > 0
+		res.DefaultAutoUpdate != ""
 }
--- a/types/netmap/nodemut_test.go
+++ b/types/netmap/nodemut_test.go
@@ -32,7 +32,7 @@ func TestMapResponseContainsNonPatchFields(t *testing.T) {
 			}
 			return reflect.ValueOf("foo").Convert(t)
 		case reflect.Int64:
-			return reflect.ValueOf(int64(1)).Convert(t)
+			return reflect.ValueOf(int64(1))
 		case reflect.Slice:
 			return reflect.MakeSlice(t, 1, 1)
 		case reflect.Ptr:
--- a/util/winutil/restartmgr_windows.go
+++ b/util/winutil/restartmgr_windows.go
@@ -23,12 +23,7 @@ import (
 )

 var (
-	// ErrDefunctProcess is returned by (*UniqueProcess).AsRestartableProcess
-	// when the process no longer exists.
 	ErrDefunctProcess        = errors.New("process is defunct")
-	// ErrProcessNotRestartable is returned by (*UniqueProcess).AsRestartableProcess
-	// when the process has previously indicated that it must not be restarted
-	// during a patch/upgrade.
 	ErrProcessNotRestartable = errors.New("process is not restartable")
 )
Author	SHA1	Message	Date
Irbe Krumina	23d8ccce34	Experimental Signed-off-by: Irbe Krumina <irbe@tailscale.com>	2024-01-05 09:14:02 +00:00
Irbe Krumina	b0d87c9c80	Try to pass config file to tailscaled Signed-off-by: Irbe Krumina <irbe@tailscale.com>	2024-01-05 05:55:41 +00:00
Irbe Krumina	4b43419923	temp	2024-01-04 19:23:26 +00:00
Irbe Krumina	713ed80a09	cmd/k8s-operator/deploy/examples: update example Connector yaml to add exit node Signed-off-by: Irbe Krumina <irbe@tailscale.com>	2024-01-04 12:37:13 +00:00
Irbe Krumina	a9f37b852d	cmd/k8s-operator: optionally configure Connector as exit node The Kubernetes operator parses Connector custom resource and, if .spec.isExitNode is set, configures that Tailscale node deployed for that connector as an exit node. NB: it is currently not possible to switch from a Connector that acts as an exit node to one that does not- it requires deleting and redeploying Connector Signed-off-by: Irbe Krumina <irbe@tailscale.com>	2024-01-04 12:27:21 +00:00
Irbe Krumina	5ad0dce5c0	cmd/k8s-operator/deploy/crds,k8s-operator/apis/v1alpha1: allow to define an exit node via Connector CR Make it possible to define an exit node to be deployed to a Kubernetes cluster via Connector Custom resource. Also changes to Connector API so that one Connector corresponds to one Tailnet node that can be either a subnet router or an exit node or both. Updates tailscale/tailscale#10708 Signed-off-by: Irbe Krumina <irbe@tailscale.com>	2024-01-04 12:27:12 +00:00