Merge b25c2c7f09 into a71a933705

update nix hash
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>
2024-11-29 18:33:05 +00:00 · 2024-11-04 10:14:39 -06:00 · 2024-11-04 10:14:30 -06:00 · 2024-10-24 09:46:46 -05:00 · 2024-10-24 09:38:33 -05:00
40 changed files with 236 additions and 1167 deletions
--- a/.github/workflows/test-integration.yaml
+++ b/.github/workflows/test-integration.yaml
@ -38,7 +38,6 @@ jobs:
          - TestNodeMoveCommand
          - TestPolicyCommand
          - TestPolicyBrokenConfigCommand
-          - TestDERPVerifyEndpoint
          - TestResolveMagicDNS
          - TestValidateResolvConf
          - TestDERPServerScenario
--- a/.goreleaser.yml
+++ b/.goreleaser.yml
@ -154,7 +154,7 @@ kos:
      - "{{ if not .Prerelease }}v{{ .Major }}.{{ .Minor }}.{{ .Patch }}-debug{{ end }}"
      - "{{ if not .Prerelease }}v{{ .Major }}.{{ .Minor }}-debug{{ end }}"
      - "{{ if not .Prerelease }}v{{ .Major }}-debug{{ end }}"
-      - "{{ if not .Prerelease }}stable-debug{{ else }}unstable-debug{{ end }}"
+      - "{{ if not .Prerelease }}stable{{ else }}unstable-debug{{ end }}"
      - "{{ .Tag }}-debug"
      - '{{ trimprefix .Tag "v" }}-debug'
      - "sha-{{ .ShortCommit }}-debug"
@ -177,7 +177,7 @@ kos:
      - "{{ if not .Prerelease }}v{{ .Major }}.{{ .Minor }}.{{ .Patch }}-debug{{ end }}"
      - "{{ if not .Prerelease }}v{{ .Major }}.{{ .Minor }}-debug{{ end }}"
      - "{{ if not .Prerelease }}v{{ .Major }}-debug{{ end }}"
-      - "{{ if not .Prerelease }}stable-debug{{ else }}unstable-debug{{ end }}"
+      - "{{ if not .Prerelease }}stable{{ else }}unstable-debug{{ end }}"
      - "{{ .Tag }}-debug"
      - '{{ trimprefix .Tag "v" }}-debug'
      - "sha-{{ .ShortCommit }}-debug"
--- a/.prettierignore
+++ b/.prettierignore
@ -1,3 +1,2 @@
 .github/workflows/test-integration-v2*
 docs/about/features.md
-docs/ref/remote-cli.md
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -22,8 +22,6 @@
 - Fixed processing of fields in post request in MoveNode rpc [#2179](https://github.com/juanfont/headscale/pull/2179)
 - Added conversion of 'Hostname' to 'givenName' in a node with FQDN rules applied [#2198](https://github.com/juanfont/headscale/pull/2198)
 - Fixed updating of hostname and givenName when it is updated in HostInfo [#2199](https://github.com/juanfont/headscale/pull/2199)
- Fixed missing `stable-debug` container tag [#2232](https://github.com/juanfont/headscale/pr/2232)
- Loosened up `server_url` and `base_domain` check. It was overly strict in some cases.

 ## 0.23.0 (2024-09-18)

--- a/CODE_OF_CONDUCT.md
+++ b/CODE_OF_CONDUCT.md
@ -62,7 +62,7 @@ event.

 Instances of abusive, harassing, or otherwise unacceptable behavior
 may be reported to the community leaders responsible for enforcement
-on our [Discord server](https://discord.gg/c84AZQhmpx). All complaints
+at our Discord channel. All complaints
 will be reviewed and investigated promptly and fairly.

 All community leaders are obligated to respect the privacy and
--- a/Dockerfile.derper
+++ b/Dockerfile.derper
@ -1,19 +0,0 @@
-# For testing purposes only
-
-FROM golang:alpine AS build-env
-
-WORKDIR /go/src
-
-RUN apk add --no-cache git
-ARG VERSION_BRANCH=main
-RUN git clone https://github.com/tailscale/tailscale.git --branch=$VERSION_BRANCH --depth=1
-WORKDIR /go/src/tailscale
-
-ARG TARGETARCH
-RUN GOARCH=$TARGETARCH go install -v ./cmd/derper
-
-FROM alpine:3.18
-RUN apk add --no-cache ca-certificates iptables iproute2 ip6tables curl
-
-COPY --from=build-env /go/bin/* /usr/local/bin/
-ENTRYPOINT [ "/usr/local/bin/derper" ]
--- a/Dockerfile.tailscale-HEAD
+++ b/Dockerfile.tailscale-HEAD
@ -28,9 +28,7 @@ ARG VERSION_GIT_HASH=""
 ENV VERSION_GIT_HASH=$VERSION_GIT_HASH
 ARG TARGETARCH

-ARG BUILD_TAGS=""
-
-RUN GOARCH=$TARGETARCH go install -tags="${BUILD_TAGS}" -ldflags="\
+RUN GOARCH=$TARGETARCH go install -ldflags="\
      -X tailscale.com/version.longStamp=$VERSION_LONG \
      -X tailscale.com/version.shortStamp=$VERSION_SHORT \
      -X tailscale.com/version.gitCommitStamp=$VERSION_GIT_HASH" \
--- a/README.md
+++ b/README.md
@ -4,7 +4,7 @@

 An open source, self-hosted implementation of the Tailscale control server.

-Join our [Discord server](https://discord.gg/c84AZQhmpx) for a chat.
+Join our [Discord](https://discord.gg/c84AZQhmpx) server for a chat.

 **Note:** Always select the same GitHub tag as the released version you use
 to ensure you have the correct example configuration and documentation.
--- a/docs/about/clients.md
+++ b/docs/about/clients.md
@ -13,4 +13,3 @@ headscale.
 | Android | Yes (see [docs](../usage/connect/android.md))                                                         |
 | macOS   | Yes (see [docs](../usage/connect/apple.md#macos) and `/apple` on your headscale for more information) |
 | iOS     | Yes (see [docs](../usage/connect/apple.md#ios) and `/apple` on your headscale for more information)   |
-| tvOS    | Yes (see [docs](../usage/connect/apple.md#tvos) and `/apple` on your headscale for more information)  |
--- a/docs/about/faq.md
+++ b/docs/about/faq.md
@ -41,15 +41,13 @@ In addition to that, you may use packages provided by the community or from dist
 [installation guide using community packages](../setup/install/community.md).

 For convenience, we also [build Docker images with headscale](../setup/install/container.md). But **please be aware that
-we don't officially support deploying headscale using Docker**. On our [Discord server](https://discord.gg/c84AZQhmpx)
-we have a "docker-issues" channel where you can ask for Docker-specific help to the community.
+we don't officially support deploying headscale using Docker**. We have a [Discord
+channel](https://discord.com/channels/896711691637780480/1070619770942148618) where you can ask for Docker-specific help
+to the community.

 ## Why is my reverse proxy not working with headscale?

-We don't know. We don't use reverse proxies with headscale ourselves, so we don't have any experience with them. We have
-[community documentation](../ref/integration/reverse-proxy.md) on how to configure various reverse proxies, and a
-dedicated "reverse-proxy-issues" channel on our [Discord server](https://discord.gg/c84AZQhmpx) where you can ask for
-help to the community.
+We don't know. We don't use reverse proxies with headscale ourselves, so we don't have any experience with them. We have [community documentation](../ref/integration/reverse-proxy.md) on how to configure various reverse proxies, and a dedicated [Discord channel](https://discord.com/channels/896711691637780480/1070619818346164324) where you can ask for help to the community.

 ## Can I use headscale and tailscale on the same machine?

--- a/docs/about/help.md
+++ b/docs/about/help.md
@ -1,5 +1,11 @@
 # Getting help

-Join our [Discord server](https://discord.gg/c84AZQhmpx) for announcements and community support.
+Join our Discord server for announcements and community support:
+
+- [announcements](https://discord.com/channels/896711691637780480/896711692120129538)
+- [general](https://discord.com/channels/896711691637780480/896711692120129540)
+- [docker-issues](https://discord.com/channels/896711691637780480/1070619770942148618)
+- [reverse-proxy-issues](https://discord.com/channels/896711691637780480/1070619818346164324)
+- [web-interfaces](https://discord.com/channels/896711691637780480/1105842846386356294)

 Please report bugs via [GitHub issues](https://github.com/juanfont/headscale/issues)
--- a/docs/about/releases.md
+++ b/docs/about/releases.md
@ -6,4 +6,5 @@ code archives. Container images are available on [Docker Hub](https://hub.docker

 An Atom/RSS feed of headscale releases is available [here](https://github.com/juanfont/headscale/releases.atom).

-See the "announcements" channel on our [Discord server](https://discord.gg/c84AZQhmpx) for news about headscale.
+Join the ["announcements" channel on Discord](https://discord.com/channels/896711691637780480/896711692120129538) for
+news about headscale.
--- a/docs/index.md
+++ b/docs/index.md
@ -10,7 +10,7 @@ Headscale is an open source, self-hosted implementation of the Tailscale control

 This page contains the documentation for the latest version of headscale. Please also check our [FAQ](./about/faq.md).

-Join our [Discord server](https://discord.gg/c84AZQhmpx) for a chat and community support.
+Join our [Discord](https://discord.gg/c84AZQhmpx) server for a chat and community support.

 ## Design goal

--- a/docs/ref/acls.md
+++ b/docs/ref/acls.md
@ -45,11 +45,11 @@ headscale server.

 ACLs have to be written in [huJSON](https://github.com/tailscale/hujson).

-When [registering the servers](../usage/getting-started.md#register-a-node) we
-will need to add the flag `--advertise-tags=tag:<tag1>,tag:<tag2>`, and the user
-that is registering the server should be allowed to do it. Since anyone can add
-tags to a server they can register, the check of the tags is done on headscale
-server and only valid tags are applied. A tag is valid if the user that is
+When registering the servers we will need to add the flag
+`--advertise-tags=tag:<tag1>,tag:<tag2>`, and the user that is
+registering the server should be allowed to do it. Since anyone can add tags to
+a server they can register, the check of the tags is done on headscale server
+and only valid tags are applied. A tag is valid if the user that is
 registering it is allowed to do it.

 To use ACLs in headscale, you must edit your `config.yaml` file. In there you will find a `policy.path` parameter. This will need to point to your ACL file. More info on how these policies are written can be found [here](https://tailscale.com/kb/1018/acls/).
--- a/docs/ref/integration/tools.md
+++ b/docs/ref/integration/tools.md
@ -1,12 +0,0 @@
-# Tools related to headscale
-
-!!! warning "Community contributions"
-
-    This page contains community contributions. The projects listed here are not
-    maintained by the headscale authors and are written by community members.
-
-This page collects third-party tools and scripts related to headscale.
-
-| Name              | Repository Link                                                 | Description                                       |
-| ----------------- | --------------------------------------------------------------- | ------------------------------------------------- |
-| tailscale-manager | [Github](https://github.com/singlestore-labs/tailscale-manager) | Dynamically manage Tailscale route advertisements |
--- a/docs/ref/integration/web-ui.md
+++ b/docs/ref/integration/web-ui.md
@ -1,19 +1,17 @@
-# Web interfaces for headscale
+# Headscale web interface

 !!! warning "Community contributions"

    This page contains community contributions. The projects listed here are not
    maintained by the headscale authors and are written by community members.

-Headscale doesn't provide a built-in web interface but users may pick one from the available options.
+| Name            | Repository Link                                         | Description                                                                         | Status |
+| --------------- | ------------------------------------------------------- | ----------------------------------------------------------------------------------- | ------ |
+| headscale-webui | [Github](https://github.com/ifargle/headscale-webui)    | A simple headscale web UI for small-scale deployments.                              | Alpha  |
+| headscale-ui    | [Github](https://github.com/gurucomputing/headscale-ui) | A web frontend for the headscale Tailscale-compatible coordination server           | Alpha  |
+| HeadscaleUi     | [GitHub](https://github.com/simcu/headscale-ui)         | A static headscale admin ui, no backend enviroment required                         | Alpha  |
+| Headplane       | [GitHub](https://github.com/tale/headplane)             | An advanced Tailscale inspired frontend for headscale                               | Alpha  |
+| headscale-admin | [Github](https://github.com/GoodiesHQ/headscale-admin)  | Headscale-Admin is meant to be a simple, modern web interface for headscale         | Beta   |
+| ouroboros       | [Github](https://github.com/yellowsink/ouroboros)       | Ouroboros is designed for users to manage their own devices, rather than for admins | Stable |

-| Name            | Repository Link                                         | Description                                                                         |
-| --------------- | ------------------------------------------------------- | ----------------------------------------------------------------------------------- |
-| headscale-webui | [Github](https://github.com/ifargle/headscale-webui)    | A simple headscale web UI for small-scale deployments.                              |
-| headscale-ui    | [Github](https://github.com/gurucomputing/headscale-ui) | A web frontend for the headscale Tailscale-compatible coordination server           |
-| HeadscaleUi     | [GitHub](https://github.com/simcu/headscale-ui)         | A static headscale admin ui, no backend enviroment required                         |
-| Headplane       | [GitHub](https://github.com/tale/headplane)             | An advanced Tailscale inspired frontend for headscale                               |
-| headscale-admin | [Github](https://github.com/GoodiesHQ/headscale-admin)  | Headscale-Admin is meant to be a simple, modern web interface for headscale         |
-| ouroboros       | [Github](https://github.com/yellowsink/ouroboros)       | Ouroboros is designed for users to manage their own devices, rather than for admins |
-
-You can ask for support on our [Discord server](https://discord.gg/c84AZQhmpx) in the "web-interfaces" channel.
+You can ask for support on our dedicated [Discord channel](https://discord.com/channels/896711691637780480/1105842846386356294).
--- a/docs/ref/remote-cli.md
+++ b/docs/ref/remote-cli.md
@ -1,21 +1,22 @@
 # Controlling headscale with remote CLI

-This documentation has the goal of showing a user how-to control a headscale instance
+This documentation has the goal of showing a user how-to set control a headscale instance
 from a remote machine with the `headscale` command line binary.

 ## Prerequisite

- A workstation to run `headscale` (any supported platform, e.g. Linux).
- A headscale server with gRPC enabled.
- Connections to the gRPC port (default: `50443`) are allowed.
- Remote access requires an encrypted connection via TLS.
- An API key to authenticate with the headscale server.
+- A workstation to run headscale (could be Linux, macOS, other supported platforms)
+- A headscale server (version `0.13.0` or newer)
+- Access to create API keys (local access to the headscale server)
+- headscale _must_ be served over TLS/HTTPS
+  - Remote access does _not_ support unencrypted traffic.
+- Port `50443` must be open in the firewall (or port overridden by `grpc_listen_addr` option)

 ## Create an API key

-We need to create an API key to authenticate with the remote headscale server when using it from our workstation.
+We need to create an API key to authenticate our remote headscale when using it from our workstation.

-To create an API key, log into your headscale server and generate a key:
+To create a API key, log into your headscale server and generate a key:

 ```shell
 headscale apikeys create --expiration 90d
@ -24,7 +25,7 @@ headscale apikeys create --expiration 90d
 Copy the output of the command and save it for later. Please note that you can not retrieve a key again,
 if the key is lost, expire the old one, and create a new key.

-To list the keys currently associated with the server:
+To list the keys currently assosicated with the server:

 ```shell
 headscale apikeys list
@ -38,8 +39,7 @@ headscale apikeys expire --prefix "<PREFIX>"

 ## Download and configure headscale

-1.  Download the [`headscale` binary from GitHub's release page](https://github.com/juanfont/headscale/releases). Make
-    sure to use the same version as on the server.
+1.  Download the latest [`headscale` binary from GitHub's release page](https://github.com/juanfont/headscale/releases):

 1.  Put the binary somewhere in your `PATH`, e.g. `/usr/local/bin/headscale`

@ -49,32 +49,25 @@ headscale apikeys expire --prefix "<PREFIX>"
    chmod +x /usr/local/bin/headscale
    ```

-1.  Provide the connection parameters for the remote headscale server either via a minimal YAML configuration file or via
-    environment variables:
+1.  Configure the CLI through environment variables

-    === "Minimal YAML configuration file"
+    ```shell
+    export HEADSCALE_CLI_ADDRESS="<HEADSCALE ADDRESS>:<PORT>"
+    export HEADSCALE_CLI_API_KEY="<API KEY FROM PREVIOUS STAGE>"
+    ```

-        ```yaml
-        cli:
-            address: <HEADSCALE_ADDRESS>:<PORT>
-            api_key: <API_KEY_FROM_PREVIOUS_STEP>
-        ```
+    for example:

-    === "Environment variables"
+    ```shell
+    export HEADSCALE_CLI_ADDRESS="headscale.example.com:50443"
+    export HEADSCALE_CLI_API_KEY="abcde12345"
+    ```

-        ```shell
-        export HEADSCALE_CLI_ADDRESS="<HEADSCALE_ADDRESS>:<PORT>"
-        export HEADSCALE_CLI_API_KEY="<API_KEY_FROM_PREVIOUS_STEP>"
-        ```
+    This will tell the `headscale` binary to connect to a remote instance, instead of looking
+    for a local instance (which is what it does on the server).

-        !!! bug
-
-            Headscale 0.23.0 requires at least an empty configuration file when environment variables are used to
-            specify connection details. See [issue 2193](https://github.com/juanfont/headscale/issues/2193) for more
-            information.
-
-    This instructs the `headscale` binary to connect to a remote instance at `<HEADSCALE_ADDRESS>:<PORT>`, instead of
-    connecting to the local instance.
+    The API key is needed to make sure that you are allowed to access the server. The key is _not_
+    needed when running directly on the server, as the connection is local.

 1.  Test the connection

@ -96,10 +89,10 @@ While this is _not a supported_ feature, an example on how this can be set up on

 ## Troubleshooting

- Make sure you have the _same_ headscale version on your server and workstation.
- Ensure that connections to the gRPC port are allowed.
- Verify that your TLS certificate is valid and trusted.
- If you don't have access to a trusted certificate (e.g. from Let's Encrypt), either:
-    - Add your self-signed certificate to the trust store of your OS _or_
-    - Disable certificate verification by either setting `cli.insecure: true` in the configuration file or by setting
-      `HEADSCALE_CLI_INSECURE=1` via an environment variable. We do **not** recommend to disable certificate validation.
+Checklist:
+
+- Make sure you have the _same_ headscale version on your server and workstation
+- Make sure you use version `0.13.0` or newer.
+- Verify that your TLS certificate is valid and trusted
+  - If you do not have access to a trusted certificate (e.g. from Let's Encrypt), add your self signed certificate to the trust store of your OS or
+  - Set `HEADSCALE_CLI_INSECURE` to 0 in your environment
--- a/docs/ref/tls.md
+++ b/docs/ref/tls.md
@ -9,8 +9,6 @@ tls_cert_path: ""
 tls_key_path: ""
 ```

-The certificate should contain the full chain, else some clients, like the Tailscale Android client, will reject it.
-
 ## Let's Encrypt / ACME

 To get a certificate automatically via [Let's Encrypt](https://letsencrypt.org/), set `tls_letsencrypt_hostname` to the desired certificate hostname. This name must resolve to the IP address(es) headscale is reachable on (i.e., it must correspond to the `server_url` configuration parameter). The certificate and Let's Encrypt account credentials will be stored in the directory configured in `tls_letsencrypt_cache_dir`. If the path is relative, it will be interpreted as relative to the directory the configuration file was read from.
--- a/docs/setup/install/community.md
+++ b/docs/setup/install/community.md
@ -28,7 +28,7 @@ development version.

 ## Fedora, RHEL, CentOS

-A third-party repository for various RPM based distributions is available at:
+A 3rd-party repository for various RPM based distributions is available at:
 <https://copr.fedorainfracloud.org/coprs/jonathanspw/headscale/>. The site provides detailed setup and installation
 instructions.

--- a/docs/usage/connect/apple.md
+++ b/docs/usage/connect/apple.md
@ -47,23 +47,3 @@ tailscale login --login-server <YOUR_HEADSCALE_URL>
 - Under `Custom Login Server`, select `Add Account...`
 - Enter the URL of your headscale instance (e.g `https://headscale.example.com`) and press `Add Account`
 - Follow the login procedure in the browser
-
-## tvOS
-
-### Installation
-
-Install the official Tailscale tvOS client from the [App Store](https://apps.apple.com/app/tailscale/id1470499037).
-
-!!! danger
-
-    **Don't** open the Tailscale App after installation!
-
-### Configuring the headscale URL
-
- Open Settings (the Apple tvOS settings) > Apps > Tailscale
- Under `ALTERNATE COORDINATION SERVER URL`, select `URL`
- Enter the URL of your headscale instance (e.g `https://headscale.example.com`) and press `OK`
- Return to the tvOS Home screen
- Open Tailscale
- Click the button `Install VPN configuration` and confirm the appearing popup by clicking the `Allow` button
- Scan the QR code and follow the login procedure
--- a/docs/usage/getting-started.md
+++ b/docs/usage/getting-started.md
@ -9,8 +9,6 @@ This page helps you get started with headscale and provides a few usage examples
      installation instructions.
    * The configuration file exists and is adjusted to suit your environment, see
      [Configuration](../ref/configuration.md) for details.
-    * Headscale is reachable from the Internet. Verify this by opening client specific setup instructions in your
-      browser, e.g. https://headscale.example.com/windows
    * The Tailscale client is installed, see [Client and operating system support](../about/clients.md) for more
      information.

--- a/flake.lock
+++ b/flake.lock
@ -5,11 +5,11 @@
        "systems": "systems"
      },
      "locked": {
-        "lastModified": 1731533236,
-        "narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=",
+        "lastModified": 1726560853,
+        "narHash": "sha256-X6rJYSESBVr3hBoH0WbKE5KvhPU5bloyZ2L4K60/fPQ=",
        "owner": "numtide",
        "repo": "flake-utils",
-        "rev": "11707dc2f618dd54ca8739b309ec4fc024de578b",
+        "rev": "c1dfcf08411b08f6b8615f7d8971a2bfa81d5e8a",
        "type": "github"
      },
      "original": {
@ -20,11 +20,11 @@
    },
    "nixpkgs": {
      "locked": {
-        "lastModified": 1731763621,
-        "narHash": "sha256-ddcX4lQL0X05AYkrkV2LMFgGdRvgap7Ho8kgon3iWZk=",
+        "lastModified": 1729850857,
+        "narHash": "sha256-WvLXzNNnnw+qpFOmgaM3JUlNEH+T4s22b5i2oyyCpXE=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "c69a9bffbecde46b4b939465422ddc59493d3e4d",
+        "rev": "41dea55321e5a999b17033296ac05fe8a8b5a257",
        "type": "github"
      },
      "original": {
--- a/hscontrol/app.go
+++ b/hscontrol/app.go
@ -457,12 +457,9 @@ func (h *Headscale) createRouter(grpcMux *grpcRuntime.ServeMux) *mux.Router {
 	router.HandleFunc("/swagger/v1/openapiv2.json", headscale.SwaggerAPIv1).
 		Methods(http.MethodGet)

-	router.HandleFunc("/verify", h.VerifyHandler).Methods(http.MethodPost)
-
 	if h.cfg.DERP.ServerEnabled {
 		router.HandleFunc("/derp", h.DERPServer.DERPHandler)
 		router.HandleFunc("/derp/probe", derpServer.DERPProbeHandler)
-		router.HandleFunc("/derp/latency-check", derpServer.DERPProbeHandler)
 		router.HandleFunc("/bootstrap-dns", derpServer.DERPBootstrapDNSHandler(h.DERPMap))
 	}

--- a/hscontrol/handlers.go
+++ b/hscontrol/handlers.go
@ -4,7 +4,6 @@ import (
 	"encoding/json"
 	"errors"
 	"fmt"
-	"io"
 	"net/http"
 	"strconv"
 	"strings"
@ -57,65 +56,6 @@ func parseCabailityVersion(req *http.Request) (tailcfg.CapabilityVersion, error)
 	return tailcfg.CapabilityVersion(clientCapabilityVersion), nil
 }

-func (h *Headscale) handleVerifyRequest(
-	req *http.Request,
-) (bool, error) {
-	body, err := io.ReadAll(req.Body)
-	if err != nil {
-		return false, fmt.Errorf("cannot read request body: %w", err)
-	}
-
-	var derpAdmitClientRequest tailcfg.DERPAdmitClientRequest
-	if err := json.Unmarshal(body, &derpAdmitClientRequest); err != nil {
-		return false, fmt.Errorf("cannot parse derpAdmitClientRequest: %w", err)
-	}
-
-	nodes, err := h.db.ListNodes()
-	if err != nil {
-		return false, fmt.Errorf("cannot list nodes: %w", err)
-	}
-
-	return nodes.ContainsNodeKey(derpAdmitClientRequest.NodePublic), nil
-}
-
-// see https://github.com/tailscale/tailscale/blob/964282d34f06ecc06ce644769c66b0b31d118340/derp/derp_server.go#L1159, Derp use verifyClientsURL to verify whether a client is allowed to connect to the DERP server.
-func (h *Headscale) VerifyHandler(
-	writer http.ResponseWriter,
-	req *http.Request,
-) {
-	if req.Method != http.MethodPost {
-		http.Error(writer, "Wrong method", http.StatusMethodNotAllowed)
-
-		return
-	}
-	log.Debug().
-		Str("handler", "/verify").
-		Msg("verify client")
-
-	allow, err := h.handleVerifyRequest(req)
-	if err != nil {
-		log.Error().
-			Caller().
-			Err(err).
-			Msg("Failed to verify client")
-		http.Error(writer, "Internal error", http.StatusInternalServerError)
-	}
-
-	resp := tailcfg.DERPAdmitClientResponse{
-		Allow: allow,
-	}
-
-	writer.Header().Set("Content-Type", "application/json")
-	writer.WriteHeader(http.StatusOK)
-	err = json.NewEncoder(writer).Encode(resp)
-	if err != nil {
-		log.Error().
-			Caller().
-			Err(err).
-			Msg("Failed to write response")
-	}
-}
-
 // KeyHandler provides the Headscale pub key
 // Listens in /key.
 func (h *Headscale) KeyHandler(
--- a/hscontrol/metrics.go
+++ b/hscontrol/metrics.go
@ -78,7 +78,7 @@ func prometheusMiddleware(next http.Handler) http.Handler {

 		// Ignore streaming and noise sessions
 		// it has its own router further down.
-		if path == "/ts2021" || path == "/machine/map" || path == "/derp" || path == "/derp/probe" || path == "/derp/latency-check" || path == "/bootstrap-dns" {
+		if path == "/ts2021" || path == "/machine/map" || path == "/derp" || path == "/derp/probe" || path == "/bootstrap-dns" {
 			next.ServeHTTP(w, r)
 			return
 		}
--- a/hscontrol/templates/apple.go
+++ b/hscontrol/templates/apple.go
@ -17,13 +17,9 @@ func Apple(url string) *elem.Element {
 			headerOne("headscale: iOS configuration"),
 			headerTwo("GUI"),
 			elem.Ol(nil,
-				elem.Li(
-					nil,
+				elem.Li(nil,
 					elem.Text("Install the official Tailscale iOS client from the "),
-					elem.A(
-						attrs.Props{
-							attrs.Href: "https://apps.apple.com/app/tailscale/id1470499037",
-						},
+					elem.A(attrs.Props{attrs.Href: "https://apps.apple.com/app/tailscale/id1470499037"},
 						elem.Text("App store"),
 					),
 				),
@ -35,47 +31,27 @@ func Apple(url string) *elem.Element {
 				elem.Li(nil,
 					elem.Text("Open Settings on the iOS device"),
 				),
-				elem.Li(
-					nil,
-					elem.Text(
-						`Scroll down to the "third party apps" section, under "Game Center" or "TV Provider"`,
-					),
+				elem.Li(nil,
+					elem.Text(`Scroll down to the "third party apps" section, under "Game Center" or "TV Provider"`),
 				),
 				elem.Li(nil,
 					elem.Text("Find Tailscale and select it"),
 					elem.Ul(nil,
-						elem.Li(
-							nil,
-							elem.Text(
-								`If the iOS device was previously logged into Tailscale, switch the "Reset Keychain" toggle to "on"`,
-							),
+						elem.Li(nil,
+							elem.Text(`If the iOS device was previously logged into Tailscale, switch the "Reset Keychain" toggle to "on"`),
 						),
 					),
 				),
-				elem.Li(
-					nil,
-					elem.Text(
-						fmt.Sprintf(
-							`Enter "%s" under "Alternate Coordination Server URL"`,
-							url,
-						),
-					),
+				elem.Li(nil,
+					elem.Text(fmt.Sprintf(`Enter "%s" under "Alternate Coordination Server URL"`, url)),
 				),
-				elem.Li(
-					nil,
-					elem.Text(
-						"Restart the app by closing it from the iOS app switcher, open the app and select the regular sign in option ",
-					),
+				elem.Li(nil,
+					elem.Text("Restart the app by closing it from the iOS app switcher, open the app and select the regular sign in option "),
 					elem.I(nil, elem.Text("(non-SSO)")),
-					elem.Text(
-						". It should open up to the headscale authentication page.",
-					),
+					elem.Text(". It should open up to the headscale authentication page."),
 				),
-				elem.Li(
-					nil,
-					elem.Text(
-						"Enter your credentials and log in. Headscale should now be working on your iOS device",
-					),
+				elem.Li(nil,
+					elem.Text("Enter your credentials and log in. Headscale should now be working on your iOS device"),
 				),
 			),
 			headerOne("headscale: macOS configuration"),
@ -90,58 +66,34 @@ func Apple(url string) *elem.Element {
 			),
 			headerTwo("GUI"),
 			elem.Ol(nil,
-				elem.Li(
-					nil,
-					elem.Text(
-						"ALT + Click the Tailscale icon in the menu and hover over the Debug menu",
-					),
+				elem.Li(nil,
+					elem.Text("ALT + Click the Tailscale icon in the menu and hover over the Debug menu"),
 				),
 				elem.Li(nil,
 					elem.Text(`Under "Custom Login Server", select "Add Account..."`),
 				),
-				elem.Li(
-					nil,
-					elem.Text(
-						fmt.Sprintf(
-							`Enter "%s" of the headscale instance and press "Add Account"`,
-							url,
-						),
-					),
+				elem.Li(nil,
+					elem.Text(fmt.Sprintf(`Enter "%s" of the headscale instance and press "Add Account"`, url)),
 				),
 				elem.Li(nil,
 					elem.Text(`Follow the login procedure in the browser`),
 				),
 			),
 			headerTwo("Profiles"),
-			elem.P(
-				nil,
-				elem.Text(
-					"Headscale can be set to the default server by installing a Headscale configuration profile:",
-				),
+			elem.P(nil,
+				elem.Text("Headscale can be set to the default server by installing a Headscale configuration profile:"),
 			),
-			elem.P(
-				nil,
-				elem.A(
-					attrs.Props{
-						attrs.Href:     "/apple/macos-app-store",
-						attrs.Download: "headscale_macos.mobileconfig",
-					},
+			elem.P(nil,
+				elem.A(attrs.Props{attrs.Href: "/apple/macos-app-store", attrs.Download: "headscale_macos.mobileconfig"},
 					elem.Text("macOS AppStore profile "),
 				),
-				elem.A(
-					attrs.Props{
-						attrs.Href:     "/apple/macos-standalone",
-						attrs.Download: "headscale_macos.mobileconfig",
-					},
+				elem.A(attrs.Props{attrs.Href: "/apple/macos-standalone", attrs.Download: "headscale_macos.mobileconfig"},
 					elem.Text("macOS Standalone profile"),
 				),
 			),
 			elem.Ol(nil,
-				elem.Li(
-					nil,
-					elem.Text(
-						"Download the profile, then open it. When it has been opened, there should be a notification that a profile can be installed",
-					),
+				elem.Li(nil,
+					elem.Text("Download the profile, then open it. When it has been opened, there should be a notification that a profile can be installed"),
 				),
 				elem.Li(nil,
 					elem.Text(`Open System Preferences and go to "Profiles"`),
@ -154,35 +106,20 @@ func Apple(url string) *elem.Element {
 				),
 			),
 			elem.P(nil, elem.Text("Or")),
-			elem.P(
-				nil,
-				elem.Text(
-					"Use your terminal to configure the default setting for Tailscale by issuing:",
-				),
+			elem.P(nil,
+				elem.Text("Use your terminal to configure the default setting for Tailscale by issuing:"),
 			),
 			elem.Ul(nil,
 				elem.Li(nil,
 					elem.Text(`for app store client:`),
-					elem.Code(
-						nil,
-						elem.Text(
-							fmt.Sprintf(
-								`defaults write io.tailscale.ipn.macos ControlURL %s`,
-								url,
-							),
-						),
+					elem.Code(nil,
+						elem.Text(fmt.Sprintf(`defaults write io.tailscale.ipn.macos ControlURL %s`, url)),
 					),
 				),
 				elem.Li(nil,
 					elem.Text(`for standalone client:`),
-					elem.Code(
-						nil,
-						elem.Text(
-							fmt.Sprintf(
-								`defaults write io.tailscale.ipn.macsys ControlURL %s`,
-								url,
-							),
-						),
+					elem.Code(nil,
+						elem.Text(fmt.Sprintf(`defaults write io.tailscale.ipn.macsys ControlURL %s`, url)),
 					),
 				),
 			),
@ -190,11 +127,8 @@ func Apple(url string) *elem.Element {
 				elem.Text("Restart Tailscale.app and log in."),
 			),
 			headerThree("Caution"),
-			elem.P(
-				nil,
-				elem.Text(
-					"You should always download and inspect the profile before installing it:",
-				),
+			elem.P(nil,
+				elem.Text("You should always download and inspect the profile before installing it:"),
 			),
 			elem.Ul(nil,
 				elem.Li(nil,
@ -210,53 +144,6 @@ func Apple(url string) *elem.Element {
 					),
 				),
 			),
-			headerOne("headscale: tvOS configuration"),
-			headerTwo("GUI"),
-			elem.Ol(nil,
-				elem.Li(
-					nil,
-					elem.Text("Install the official Tailscale tvOS client from the "),
-					elem.A(
-						attrs.Props{
-							attrs.Href: "https://apps.apple.com/app/tailscale/id1470499037",
-						},
-						elem.Text("App store"),
-					),
-				),
-				elem.Li(
-					nil,
-					elem.Text(
-						"Open Settings (the Apple tvOS settings) > Apps > Tailscale",
-					),
-				),
-				elem.Li(
-					nil,
-					elem.Text(
-						fmt.Sprintf(
-							`Enter "%s" under "ALTERNATE COORDINATION SERVER URL"`,
-							url,
-						),
-					),
-				),
-				elem.Li(nil,
-					elem.Text("Return to the tvOS Home screen"),
-				),
-				elem.Li(nil,
-					elem.Text("Open Tailscale"),
-				),
-				elem.Li(nil,
-					elem.Text(`Select "Install VPN configuration"`),
-				),
-				elem.Li(nil,
-					elem.Text(`Select "Allow"`),
-				),
-				elem.Li(nil,
-					elem.Text("Scan the QR code and follow the login procedure"),
-				),
-				elem.Li(nil,
-					elem.Text("Headscale should now be working on your tvOS device"),
-				),
-			),
 		),
 	)
 }
--- a/hscontrol/types/config.go
+++ b/hscontrol/types/config.go
@ -28,9 +28,8 @@ const (
 	maxDuration           time.Duration = 1<<63 - 1
 )

-var (
-	errOidcMutuallyExclusive = errors.New("oidc_client_secret and oidc_client_secret_path are mutually exclusive")
-	errServerURLSuffix       = errors.New("server_url cannot be part of base_domain in a way that could make the DERP and headscale server unreachable")
+var errOidcMutuallyExclusive = errors.New(
+	"oidc_client_secret and oidc_client_secret_path are mutually exclusive",
 )

 type IPAllocationStrategy string
@ -828,10 +827,11 @@ func LoadServerConfig() (*Config, error) {
 	// - DERP run on their own domains
 	// - Control plane runs on login.tailscale.com/controlplane.tailscale.com
 	// - MagicDNS (BaseDomain) for users is on a *.ts.net domain per tailnet (e.g. tail-scale.ts.net)
-	if dnsConfig.BaseDomain != "" {
-		if err := isSafeServerURL(serverURL, dnsConfig.BaseDomain); err != nil {
-			return nil, err
-		}
+	if dnsConfig.BaseDomain != "" &&
+		strings.Contains(serverURL, dnsConfig.BaseDomain) {
+		return nil, errors.New(
+			"server_url cannot contain the base_domain, this will cause the headscale server and embedded DERP to become unreachable from the Tailscale node.",
+		)
 	}

 	return &Config{
@ -924,37 +924,6 @@ func LoadServerConfig() (*Config, error) {
 	}, nil
 }

-// BaseDomain cannot be a suffix of the server URL.
-// This is because Tailscale takes over the domain in BaseDomain,
-// causing the headscale server and DERP to be unreachable.
-// For Tailscale upstream, the following is true:
-// - DERP run on their own domains.
-// - Control plane runs on login.tailscale.com/controlplane.tailscale.com.
-// - MagicDNS (BaseDomain) for users is on a *.ts.net domain per tailnet (e.g. tail-scale.ts.net).
-func isSafeServerURL(serverURL, baseDomain string) error {
-	server, err := url.Parse(serverURL)
-	if err != nil {
-		return err
-	}
-
-	serverDomainParts := strings.Split(server.Host, ".")
-	baseDomainParts := strings.Split(baseDomain, ".")
-
-	if len(serverDomainParts) <= len(baseDomainParts) {
-		return nil
-	}
-
-	s := len(serverDomainParts)
-	b := len(baseDomainParts)
-	for i := range len(baseDomainParts) {
-		if serverDomainParts[s-i-1] != baseDomainParts[b-i-1] {
-			return nil
-		}
-	}
-
-	return errServerURLSuffix
-}
-
 type deprecator struct {
 	warns  set.Set[string]
 	fatals set.Set[string]
--- a/hscontrol/types/config_test.go
+++ b/hscontrol/types/config_test.go
@ -1,7 +1,6 @@
 package types

 import (
-	"fmt"
 	"os"
 	"path/filepath"
 	"testing"
@ -159,7 +158,7 @@ func TestReadConfig(t *testing.T) {
 				return LoadServerConfig()
 			},
 			want:    nil,
-			wantErr: errServerURLSuffix.Error(),
+			wantErr: "server_url cannot contain the base_domain, this will cause the headscale server and embedded DERP to become unreachable from the Tailscale node.",
 		},
 		{
 			name:       "base-domain-not-in-server-url",
@ -365,64 +364,3 @@ tls_letsencrypt_challenge_type: TLS-ALPN-01
 	err = LoadConfig(tmpDir, false)
 	require.NoError(t, err)
 }
-
-// OK
-// server_url: headscale.com, base: clients.headscale.com
-// server_url: headscale.com, base: headscale.net
-//
-// NOT OK
-// server_url: server.headscale.com, base: headscale.com.
-func TestSafeServerURL(t *testing.T) {
-	tests := []struct {
-		serverURL, baseDomain,
-		wantErr string
-	}{
-		{
-			serverURL:  "https://example.com",
-			baseDomain: "example.org",
-		},
-		{
-			serverURL:  "https://headscale.com",
-			baseDomain: "headscale.com",
-		},
-		{
-			serverURL:  "https://headscale.com",
-			baseDomain: "clients.headscale.com",
-		},
-		{
-			serverURL:  "https://headscale.com",
-			baseDomain: "clients.subdomain.headscale.com",
-		},
-		{
-			serverURL:  "https://headscale.kristoffer.com",
-			baseDomain: "mybase",
-		},
-		{
-			serverURL:  "https://server.headscale.com",
-			baseDomain: "headscale.com",
-			wantErr:    errServerURLSuffix.Error(),
-		},
-		{
-			serverURL:  "https://server.subdomain.headscale.com",
-			baseDomain: "headscale.com",
-			wantErr:    errServerURLSuffix.Error(),
-		},
-		{
-			serverURL: "http://foo\x00",
-			wantErr:   `parse "http://foo\x00": net/url: invalid control character in URL`,
-		},
-	}
-
-	for _, tt := range tests {
-		testName := fmt.Sprintf("server=%s domain=%s", tt.serverURL, tt.baseDomain)
-		t.Run(testName, func(t *testing.T) {
-			err := isSafeServerURL(tt.serverURL, tt.baseDomain)
-			if tt.wantErr != "" {
-				assert.EqualError(t, err, tt.wantErr)
-
-				return
-			}
-			assert.NoError(t, err)
-		})
-	}
-}
--- a/hscontrol/types/node.go
+++ b/hscontrol/types/node.go
@ -223,16 +223,6 @@ func (nodes Nodes) FilterByIP(ip netip.Addr) Nodes {
 	return found
 }

-func (nodes Nodes) ContainsNodeKey(nodeKey key.NodePublic) bool {
-	for _, node := range nodes {
-		if node.NodeKey == nodeKey {
-			return true
-		}
-	}
-
-	return false
-}
-
 func (node *Node) Proto() *v1.Node {
 	nodeProto := &v1.Node{
 		Id:         uint64(node.ID),
--- a/hscontrol/types/testdata/base-domain-in-server-url.yaml
+++ b/hscontrol/types/testdata/base-domain-in-server-url.yaml
@ -8,7 +8,7 @@ prefixes:
 database:
  type: sqlite3

-server_url: "https://server.derp.no"
+server_url: "https://derp.no"

 dns:
  magic_dns: true
--- a/integration/README.md
+++ b/integration/README.md
@ -11,10 +11,10 @@ Tests are located in files ending with `_test.go` and the framework are located

 ## Running integration tests locally

-The easiest way to run tests locally is to use [act](https://github.com/nektos/act), a local GitHub Actions runner:
+The easiest way to run tests locally is to use `[act](INSERT LINK)`, a local GitHub Actions runner:

 ```
-act pull_request -W .github/workflows/test-integration.yaml
+act pull_request -W .github/workflows/test-integration-v2-TestPingAllByIP.yaml
 ```

 Alternatively, the `docker run` command in each GitHub workflow file can be used.
--- a/integration/derp_verify_endpoint_test.go
+++ b/integration/derp_verify_endpoint_test.go
@ -1,96 +0,0 @@
-package integration
-
-import (
-	"encoding/json"
-	"fmt"
-	"net"
-	"strconv"
-	"strings"
-	"testing"
-
-	"github.com/juanfont/headscale/hscontrol/util"
-	"github.com/juanfont/headscale/integration/dsic"
-	"github.com/juanfont/headscale/integration/hsic"
-	"github.com/juanfont/headscale/integration/integrationutil"
-	"github.com/juanfont/headscale/integration/tsic"
-	"tailscale.com/tailcfg"
-)
-
-func TestDERPVerifyEndpoint(t *testing.T) {
-	IntegrationSkip(t)
-
-	// Generate random hostname for the headscale instance
-	hash, err := util.GenerateRandomStringDNSSafe(6)
-	assertNoErr(t, err)
-	testName := "derpverify"
-	hostname := fmt.Sprintf("hs-%s-%s", testName, hash)
-
-	headscalePort := 8080
-
-	// Create cert for headscale
-	certHeadscale, keyHeadscale, err := integrationutil.CreateCertificate(hostname)
-	assertNoErr(t, err)
-
-	scenario, err := NewScenario(dockertestMaxWait())
-	assertNoErr(t, err)
-	defer scenario.ShutdownAssertNoPanics(t)
-
-	spec := map[string]int{
-		"user1": len(MustTestVersions),
-	}
-
-	derper, err := scenario.CreateDERPServer("head",
-		dsic.WithCACert(certHeadscale),
-		dsic.WithVerifyClientURL(fmt.Sprintf("https://%s/verify", net.JoinHostPort(hostname, strconv.Itoa(headscalePort)))),
-	)
-	assertNoErr(t, err)
-
-	derpMap := tailcfg.DERPMap{
-		Regions: map[int]*tailcfg.DERPRegion{
-			900: {
-				RegionID:   900,
-				RegionCode: "test-derpverify",
-				RegionName: "TestDerpVerify",
-				Nodes: []*tailcfg.DERPNode{
-					{
-						Name:     "TestDerpVerify",
-						RegionID: 900,
-						HostName: derper.GetHostname(),
-						STUNPort: derper.GetSTUNPort(),
-						STUNOnly: false,
-						DERPPort: derper.GetDERPPort(),
-					},
-				},
-			},
-		},
-	}
-
-	err = scenario.CreateHeadscaleEnv(spec, []tsic.Option{tsic.WithCACert(derper.GetCert())},
-		hsic.WithHostname(hostname),
-		hsic.WithPort(headscalePort),
-		hsic.WithCustomTLS(certHeadscale, keyHeadscale),
-		hsic.WithHostnameAsServerURL(),
-		hsic.WithDERPConfig(derpMap))
-	assertNoErrHeadscaleEnv(t, err)
-
-	allClients, err := scenario.ListTailscaleClients()
-	assertNoErrListClients(t, err)
-
-	for _, client := range allClients {
-		report, err := client.DebugDERPRegion("test-derpverify")
-		assertNoErr(t, err)
-		successful := false
-		for _, line := range report.Info {
-			if strings.Contains(line, "Successfully established a DERP connection with node") {
-				successful = true
-
-				break
-			}
-		}
-		if !successful {
-			stJSON, err := json.Marshal(report)
-			assertNoErr(t, err)
-			t.Errorf("Client %s could not establish a DERP connection: %s", client.Hostname(), string(stJSON))
-		}
-	}
-}
--- a/integration/dsic/dsic.go
+++ b/integration/dsic/dsic.go
@ -1,321 +0,0 @@
-package dsic
-
-import (
-	"crypto/tls"
-	"errors"
-	"fmt"
-	"log"
-	"net"
-	"net/http"
-	"strconv"
-	"strings"
-	"time"
-
-	"github.com/juanfont/headscale/hscontrol/util"
-	"github.com/juanfont/headscale/integration/dockertestutil"
-	"github.com/juanfont/headscale/integration/integrationutil"
-	"github.com/ory/dockertest/v3"
-	"github.com/ory/dockertest/v3/docker"
-)
-
-const (
-	dsicHashLength       = 6
-	dockerContextPath    = "../."
-	caCertRoot           = "/usr/local/share/ca-certificates"
-	DERPerCertRoot       = "/usr/local/share/derper-certs"
-	dockerExecuteTimeout = 60 * time.Second
-)
-
-var errDERPerStatusCodeNotOk = errors.New("DERPer status code not OK")
-
-// DERPServerInContainer represents DERP Server in Container (DSIC).
-type DERPServerInContainer struct {
-	version  string
-	hostname string
-
-	pool      *dockertest.Pool
-	container *dockertest.Resource
-	network   *dockertest.Network
-
-	stunPort            int
-	derpPort            int
-	caCerts             [][]byte
-	tlsCert             []byte
-	tlsKey              []byte
-	withExtraHosts      []string
-	withVerifyClientURL string
-	workdir             string
-}
-
-// Option represent optional settings that can be given to a
-// DERPer instance.
-type Option = func(c *DERPServerInContainer)
-
-// WithCACert adds it to the trusted surtificate of the Tailscale container.
-func WithCACert(cert []byte) Option {
-	return func(dsic *DERPServerInContainer) {
-		dsic.caCerts = append(dsic.caCerts, cert)
-	}
-}
-
-// WithOrCreateNetwork sets the Docker container network to use with
-// the DERPer instance, if the parameter is nil, a new network,
-// isolating the DERPer, will be created. If a network is
-// passed, the DERPer instance will join the given network.
-func WithOrCreateNetwork(network *dockertest.Network) Option {
-	return func(tsic *DERPServerInContainer) {
-		if network != nil {
-			tsic.network = network
-
-			return
-		}
-
-		network, err := dockertestutil.GetFirstOrCreateNetwork(
-			tsic.pool,
-			tsic.hostname+"-network",
-		)
-		if err != nil {
-			log.Fatalf("failed to create network: %s", err)
-		}
-
-		tsic.network = network
-	}
-}
-
-// WithDockerWorkdir allows the docker working directory to be set.
-func WithDockerWorkdir(dir string) Option {
-	return func(tsic *DERPServerInContainer) {
-		tsic.workdir = dir
-	}
-}
-
-// WithVerifyClientURL sets the URL to verify the client.
-func WithVerifyClientURL(url string) Option {
-	return func(tsic *DERPServerInContainer) {
-		tsic.withVerifyClientURL = url
-	}
-}
-
-// WithExtraHosts adds extra hosts to the container.
-func WithExtraHosts(hosts []string) Option {
-	return func(tsic *DERPServerInContainer) {
-		tsic.withExtraHosts = hosts
-	}
-}
-
-// New returns a new TailscaleInContainer instance.
-func New(
-	pool *dockertest.Pool,
-	version string,
-	network *dockertest.Network,
-	opts ...Option,
-) (*DERPServerInContainer, error) {
-	hash, err := util.GenerateRandomStringDNSSafe(dsicHashLength)
-	if err != nil {
-		return nil, err
-	}
-
-	hostname := fmt.Sprintf("derp-%s-%s", strings.ReplaceAll(version, ".", "-"), hash)
-	tlsCert, tlsKey, err := integrationutil.CreateCertificate(hostname)
-	if err != nil {
-		return nil, fmt.Errorf("failed to create certificates for headscale test: %w", err)
-	}
-	dsic := &DERPServerInContainer{
-		version:  version,
-		hostname: hostname,
-		pool:     pool,
-		network:  network,
-		tlsCert:  tlsCert,
-		tlsKey:   tlsKey,
-		stunPort: 3478, //nolint
-		derpPort: 443,  //nolint
-	}
-
-	for _, opt := range opts {
-		opt(dsic)
-	}
-
-	var cmdArgs strings.Builder
-	fmt.Fprintf(&cmdArgs, "--hostname=%s", hostname)
-	fmt.Fprintf(&cmdArgs, " --certmode=manual")
-	fmt.Fprintf(&cmdArgs, " --certdir=%s", DERPerCertRoot)
-	fmt.Fprintf(&cmdArgs, " --a=:%d", dsic.derpPort)
-	fmt.Fprintf(&cmdArgs, " --stun=true")
-	fmt.Fprintf(&cmdArgs, " --stun-port=%d", dsic.stunPort)
-	if dsic.withVerifyClientURL != "" {
-		fmt.Fprintf(&cmdArgs, " --verify-client-url=%s", dsic.withVerifyClientURL)
-	}
-
-	runOptions := &dockertest.RunOptions{
-		Name:       hostname,
-		Networks:   []*dockertest.Network{dsic.network},
-		ExtraHosts: dsic.withExtraHosts,
-		// we currently need to give us some time to inject the certificate further down.
-		Entrypoint: []string{"/bin/sh", "-c", "/bin/sleep 3 ; update-ca-certificates ; derper " + cmdArgs.String()},
-		ExposedPorts: []string{
-			"80/tcp",
-			fmt.Sprintf("%d/tcp", dsic.derpPort),
-			fmt.Sprintf("%d/udp", dsic.stunPort),
-		},
-	}
-
-	if dsic.workdir != "" {
-		runOptions.WorkingDir = dsic.workdir
-	}
-
-	// dockertest isnt very good at handling containers that has already
-	// been created, this is an attempt to make sure this container isnt
-	// present.
-	err = pool.RemoveContainerByName(hostname)
-	if err != nil {
-		return nil, err
-	}
-
-	var container *dockertest.Resource
-	buildOptions := &dockertest.BuildOptions{
-		Dockerfile: "Dockerfile.derper",
-		ContextDir: dockerContextPath,
-		BuildArgs:  []docker.BuildArg{},
-	}
-	switch version {
-	case "head":
-		buildOptions.BuildArgs = append(buildOptions.BuildArgs, docker.BuildArg{
-			Name:  "VERSION_BRANCH",
-			Value: "main",
-		})
-	default:
-		buildOptions.BuildArgs = append(buildOptions.BuildArgs, docker.BuildArg{
-			Name:  "VERSION_BRANCH",
-			Value: "v" + version,
-		})
-	}
-	container, err = pool.BuildAndRunWithBuildOptions(
-		buildOptions,
-		runOptions,
-		dockertestutil.DockerRestartPolicy,
-		dockertestutil.DockerAllowLocalIPv6,
-		dockertestutil.DockerAllowNetworkAdministration,
-	)
-	if err != nil {
-		return nil, fmt.Errorf(
-			"%s could not start tailscale DERPer container (version: %s): %w",
-			hostname,
-			version,
-			err,
-		)
-	}
-	log.Printf("Created %s container\n", hostname)
-
-	dsic.container = container
-
-	for i, cert := range dsic.caCerts {
-		err = dsic.WriteFile(fmt.Sprintf("%s/user-%d.crt", caCertRoot, i), cert)
-		if err != nil {
-			return nil, fmt.Errorf("failed to write TLS certificate to container: %w", err)
-		}
-	}
-	if len(dsic.tlsCert) != 0 {
-		err = dsic.WriteFile(fmt.Sprintf("%s/%s.crt", DERPerCertRoot, dsic.hostname), dsic.tlsCert)
-		if err != nil {
-			return nil, fmt.Errorf("failed to write TLS certificate to container: %w", err)
-		}
-	}
-	if len(dsic.tlsKey) != 0 {
-		err = dsic.WriteFile(fmt.Sprintf("%s/%s.key", DERPerCertRoot, dsic.hostname), dsic.tlsKey)
-		if err != nil {
-			return nil, fmt.Errorf("failed to write TLS key to container: %w", err)
-		}
-	}
-
-	return dsic, nil
-}
-
-// Shutdown stops and cleans up the DERPer container.
-func (t *DERPServerInContainer) Shutdown() error {
-	err := t.SaveLog("/tmp/control")
-	if err != nil {
-		log.Printf(
-			"Failed to save log from %s: %s",
-			t.hostname,
-			fmt.Errorf("failed to save log: %w", err),
-		)
-	}
-
-	return t.pool.Purge(t.container)
-}
-
-// GetCert returns the TLS certificate of the DERPer instance.
-func (t *DERPServerInContainer) GetCert() []byte {
-	return t.tlsCert
-}
-
-// Hostname returns the hostname of the DERPer instance.
-func (t *DERPServerInContainer) Hostname() string {
-	return t.hostname
-}
-
-// Version returns the running DERPer version of the instance.
-func (t *DERPServerInContainer) Version() string {
-	return t.version
-}
-
-// ID returns the Docker container ID of the DERPServerInContainer
-// instance.
-func (t *DERPServerInContainer) ID() string {
-	return t.container.Container.ID
-}
-
-func (t *DERPServerInContainer) GetHostname() string {
-	return t.hostname
-}
-
-// GetSTUNPort returns the STUN port of the DERPer instance.
-func (t *DERPServerInContainer) GetSTUNPort() int {
-	return t.stunPort
-}
-
-// GetDERPPort returns the DERP port of the DERPer instance.
-func (t *DERPServerInContainer) GetDERPPort() int {
-	return t.derpPort
-}
-
-// WaitForRunning blocks until the DERPer instance is ready to be used.
-func (t *DERPServerInContainer) WaitForRunning() error {
-	url := "https://" + net.JoinHostPort(t.GetHostname(), strconv.Itoa(t.GetDERPPort())) + "/"
-	log.Printf("waiting for DERPer to be ready at %s", url)
-
-	insecureTransport := http.DefaultTransport.(*http.Transport).Clone()      //nolint
-	insecureTransport.TLSClientConfig = &tls.Config{InsecureSkipVerify: true} //nolint
-	client := &http.Client{Transport: insecureTransport}
-
-	return t.pool.Retry(func() error {
-		resp, err := client.Get(url) //nolint
-		if err != nil {
-			return fmt.Errorf("headscale is not ready: %w", err)
-		}
-
-		if resp.StatusCode != http.StatusOK {
-			return errDERPerStatusCodeNotOk
-		}
-
-		return nil
-	})
-}
-
-// ConnectToNetwork connects the DERPer instance to a network.
-func (t *DERPServerInContainer) ConnectToNetwork(network *dockertest.Network) error {
-	return t.container.ConnectToNetwork(network)
-}
-
-// WriteFile save file inside the container.
-func (t *DERPServerInContainer) WriteFile(path string, data []byte) error {
-	return integrationutil.WriteFileToContainer(t.pool, t.container, path, data)
-}
-
-// SaveLog saves the current stdout log of the container to a path
-// on the host system.
-func (t *DERPServerInContainer) SaveLog(path string) error {
-	_, _, err := dockertestutil.SaveLog(t.pool, t.container, path)
-
-	return err
-}
--- a/integration/embedded_derp_test.go
+++ b/integration/embedded_derp_test.go
@ -55,7 +55,7 @@ func TestDERPServerWebsocketScenario(t *testing.T) {
 	spec := map[string]ClientsSpec{
 		"user1": {
 			Plain:         0,
-			WebsocketDERP: 2,
+			WebsocketDERP: len(MustTestVersions),
 		},
 	}

@ -239,13 +239,10 @@ func (s *EmbeddedDERPServerScenario) CreateHeadscaleEnv(

 		if clientCount.WebsocketDERP > 0 {
 			// Containers that use DERP-over-WebSocket
-			// Note that these clients *must* be built
-			// from source, which is currently
-			// only done for HEAD.
 			err = s.CreateTailscaleIsolatedNodesInUser(
 				hash,
 				userName,
-				tsic.VersionHead,
+				"all",
 				clientCount.WebsocketDERP,
 				tsic.WithWebsocketDERP(true),
 			)
@ -310,7 +307,7 @@ func (s *EmbeddedDERPServerScenario) CreateTailscaleIsolatedNodesInUser(
 			cert := hsServer.GetCert()

 			opts = append(opts,
-				tsic.WithCACert(cert),
+				tsic.WithHeadscaleTLS(cert),
 			)

 			user.createWaitGroup.Go(func() error {
--- a/integration/hsic/hsic.go
+++ b/integration/hsic/hsic.go
@ -1,12 +1,19 @@
 package hsic

 import (
+	"bytes"
+	"crypto/rand"
+	"crypto/rsa"
 	"crypto/tls"
+	"crypto/x509"
+	"crypto/x509/pkix"
 	"encoding/json"
+	"encoding/pem"
 	"errors"
 	"fmt"
 	"io"
 	"log"
+	"math/big"
 	"net"
 	"net/http"
 	"net/url"
@ -25,14 +32,11 @@ import (
 	"github.com/juanfont/headscale/integration/integrationutil"
 	"github.com/ory/dockertest/v3"
 	"github.com/ory/dockertest/v3/docker"
-	"gopkg.in/yaml.v3"
-	"tailscale.com/tailcfg"
 )

 const (
 	hsicHashLength       = 6
 	dockerContextPath    = "../."
-	caCertRoot           = "/usr/local/share/ca-certificates"
 	aclPolicyPath        = "/etc/headscale/acl.hujson"
 	tlsCertPath          = "/etc/headscale/tls.cert"
 	tlsKeyPath           = "/etc/headscale/tls.key"
@ -60,7 +64,6 @@ type HeadscaleInContainer struct {
 	// optional config
 	port             int
 	extraPorts       []string
-	caCerts          [][]byte
 	hostPortBindings map[string][]string
 	aclPolicy        *policy.ACLPolicy
 	env              map[string]string
@ -85,29 +88,18 @@ func WithACLPolicy(acl *policy.ACLPolicy) Option {
 	}
 }

-// WithCACert adds it to the trusted surtificate of the container.
-func WithCACert(cert []byte) Option {
-	return func(hsic *HeadscaleInContainer) {
-		hsic.caCerts = append(hsic.caCerts, cert)
-	}
-}
-
 // WithTLS creates certificates and enables HTTPS.
 func WithTLS() Option {
 	return func(hsic *HeadscaleInContainer) {
-		cert, key, err := integrationutil.CreateCertificate(hsic.hostname)
+		cert, key, err := createCertificate(hsic.hostname)
 		if err != nil {
 			log.Fatalf("failed to create certificates for headscale test: %s", err)
 		}

-		hsic.tlsCert = cert
-		hsic.tlsKey = key
-	}
-}
+		// TODO(kradalby): Move somewhere appropriate
+		hsic.env["HEADSCALE_TLS_CERT_PATH"] = tlsCertPath
+		hsic.env["HEADSCALE_TLS_KEY_PATH"] = tlsKeyPath

-// WithCustomTLS uses the given certificates for the Headscale instance.
-func WithCustomTLS(cert, key []byte) Option {
-	return func(hsic *HeadscaleInContainer) {
 		hsic.tlsCert = cert
 		hsic.tlsKey = key
 	}
@ -154,13 +146,6 @@ func WithTestName(testName string) Option {
 	}
 }

-// WithHostname sets the hostname of the Headscale instance.
-func WithHostname(hostname string) Option {
-	return func(hsic *HeadscaleInContainer) {
-		hsic.hostname = hostname
-	}
-}
-
 // WithHostnameAsServerURL sets the Headscale ServerURL based on
 // the Hostname.
 func WithHostnameAsServerURL() Option {
@ -218,34 +203,6 @@ func WithEmbeddedDERPServerOnly() Option {
 	}
 }

-// WithDERPConfig configures Headscale use a custom
-// DERP server only.
-func WithDERPConfig(derpMap tailcfg.DERPMap) Option {
-	return func(hsic *HeadscaleInContainer) {
-		contents, err := yaml.Marshal(derpMap)
-		if err != nil {
-			log.Fatalf("failed to marshal DERP map: %s", err)
-
-			return
-		}
-
-		hsic.env["HEADSCALE_DERP_PATHS"] = "/etc/headscale/derp.yml"
-		hsic.filesInContainer = append(hsic.filesInContainer,
-			fileInContainer{
-				path:     "/etc/headscale/derp.yml",
-				contents: contents,
-			})
-
-		// Disable global DERP server and embedded DERP server
-		hsic.env["HEADSCALE_DERP_URLS"] = ""
-		hsic.env["HEADSCALE_DERP_SERVER_ENABLED"] = "false"
-
-		// Envknob for enabling DERP debug logs
-		hsic.env["DERP_DEBUG_LOGS"] = "true"
-		hsic.env["DERP_PROBER_DEBUG_LOGS"] = "true"
-	}
-}
-
 // WithTuning allows changing the tuning settings easily.
 func WithTuning(batchTimeout time.Duration, mapSessionChanSize int) Option {
 	return func(hsic *HeadscaleInContainer) {
@ -343,10 +300,6 @@ func New(
 		"HEADSCALE_DEBUG_HIGH_CARDINALITY_METRICS=1",
 		"HEADSCALE_DEBUG_DUMP_CONFIG=1",
 	}
-	if hsic.hasTLS() {
-		hsic.env["HEADSCALE_TLS_CERT_PATH"] = tlsCertPath
-		hsic.env["HEADSCALE_TLS_KEY_PATH"] = tlsKeyPath
-	}
 	for key, value := range hsic.env {
 		env = append(env, fmt.Sprintf("%s=%s", key, value))
 	}
@ -360,7 +313,7 @@ func New(
 		// Cmd:          []string{"headscale", "serve"},
 		// TODO(kradalby): Get rid of this hack, we currently need to give us some
 		// to inject the headscale configuration further down.
-		Entrypoint: []string{"/bin/bash", "-c", "/bin/sleep 3 ; update-ca-certificates ; headscale serve ; /bin/sleep 30"},
+		Entrypoint: []string{"/bin/bash", "-c", "/bin/sleep 3 ; headscale serve ; /bin/sleep 30"},
 		Env:        env,
 	}

@ -398,14 +351,6 @@ func New(

 	hsic.container = container

-	// Write the CA certificates to the container
-	for i, cert := range hsic.caCerts {
-		err = hsic.WriteFile(fmt.Sprintf("%s/user-%d.crt", caCertRoot, i), cert)
-		if err != nil {
-			return nil, fmt.Errorf("failed to write TLS certificate to container: %w", err)
-		}
-	}
-
 	err = hsic.WriteFile("/etc/headscale/config.yaml", []byte(MinimumConfigYAML()))
 	if err != nil {
 		return nil, fmt.Errorf("failed to write headscale config to container: %w", err)
@ -804,3 +749,86 @@ func (t *HeadscaleInContainer) SendInterrupt() error {

 	return nil
 }
+
+// nolint
+func createCertificate(hostname string) ([]byte, []byte, error) {
+	// From:
+	// https://shaneutt.com/blog/golang-ca-and-signed-cert-go/
+
+	ca := &x509.Certificate{
+		SerialNumber: big.NewInt(2019),
+		Subject: pkix.Name{
+			Organization: []string{"Headscale testing INC"},
+			Country:      []string{"NL"},
+			Locality:     []string{"Leiden"},
+		},
+		NotBefore: time.Now(),
+		NotAfter:  time.Now().Add(60 * time.Hour),
+		IsCA:      true,
+		ExtKeyUsage: []x509.ExtKeyUsage{
+			x509.ExtKeyUsageClientAuth,
+			x509.ExtKeyUsageServerAuth,
+		},
+		KeyUsage:              x509.KeyUsageDigitalSignature | x509.KeyUsageCertSign,
+		BasicConstraintsValid: true,
+	}
+
+	caPrivKey, err := rsa.GenerateKey(rand.Reader, 4096)
+	if err != nil {
+		return nil, nil, err
+	}
+
+	cert := &x509.Certificate{
+		SerialNumber: big.NewInt(1658),
+		Subject: pkix.Name{
+			CommonName:   hostname,
+			Organization: []string{"Headscale testing INC"},
+			Country:      []string{"NL"},
+			Locality:     []string{"Leiden"},
+		},
+		NotBefore:    time.Now(),
+		NotAfter:     time.Now().Add(60 * time.Minute),
+		SubjectKeyId: []byte{1, 2, 3, 4, 6},
+		ExtKeyUsage:  []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth, x509.ExtKeyUsageServerAuth},
+		KeyUsage:     x509.KeyUsageDigitalSignature,
+		DNSNames:     []string{hostname},
+	}
+
+	certPrivKey, err := rsa.GenerateKey(rand.Reader, 4096)
+	if err != nil {
+		return nil, nil, err
+	}
+
+	certBytes, err := x509.CreateCertificate(
+		rand.Reader,
+		cert,
+		ca,
+		&certPrivKey.PublicKey,
+		caPrivKey,
+	)
+	if err != nil {
+		return nil, nil, err
+	}
+
+	certPEM := new(bytes.Buffer)
+
+	err = pem.Encode(certPEM, &pem.Block{
+		Type:  "CERTIFICATE",
+		Bytes: certBytes,
+	})
+	if err != nil {
+		return nil, nil, err
+	}
+
+	certPrivKeyPEM := new(bytes.Buffer)
+
+	err = pem.Encode(certPrivKeyPEM, &pem.Block{
+		Type:  "RSA PRIVATE KEY",
+		Bytes: x509.MarshalPKCS1PrivateKey(certPrivKey),
+	})
+	if err != nil {
+		return nil, nil, err
+	}
+
+	return certPEM.Bytes(), certPrivKeyPEM.Bytes(), nil
+}
--- a/integration/integrationutil/util.go
+++ b/integration/integrationutil/util.go
@ -3,16 +3,9 @@ package integrationutil
 import (
 	"archive/tar"
 	"bytes"
-	"crypto/rand"
-	"crypto/rsa"
-	"crypto/x509"
-	"crypto/x509/pkix"
-	"encoding/pem"
 	"fmt"
 	"io"
-	"math/big"
 	"path/filepath"
-	"time"

 	"github.com/juanfont/headscale/integration/dockertestutil"
 	"github.com/ory/dockertest/v3"
@ -100,86 +93,3 @@ func FetchPathFromContainer(

 	return buf.Bytes(), nil
 }
-
-// nolint
-func CreateCertificate(hostname string) ([]byte, []byte, error) {
-	// From:
-	// https://shaneutt.com/blog/golang-ca-and-signed-cert-go/
-
-	ca := &x509.Certificate{
-		SerialNumber: big.NewInt(2019),
-		Subject: pkix.Name{
-			Organization: []string{"Headscale testing INC"},
-			Country:      []string{"NL"},
-			Locality:     []string{"Leiden"},
-		},
-		NotBefore: time.Now(),
-		NotAfter:  time.Now().Add(60 * time.Hour),
-		IsCA:      true,
-		ExtKeyUsage: []x509.ExtKeyUsage{
-			x509.ExtKeyUsageClientAuth,
-			x509.ExtKeyUsageServerAuth,
-		},
-		KeyUsage:              x509.KeyUsageDigitalSignature | x509.KeyUsageCertSign,
-		BasicConstraintsValid: true,
-	}
-
-	caPrivKey, err := rsa.GenerateKey(rand.Reader, 4096)
-	if err != nil {
-		return nil, nil, err
-	}
-
-	cert := &x509.Certificate{
-		SerialNumber: big.NewInt(1658),
-		Subject: pkix.Name{
-			CommonName:   hostname,
-			Organization: []string{"Headscale testing INC"},
-			Country:      []string{"NL"},
-			Locality:     []string{"Leiden"},
-		},
-		NotBefore:    time.Now(),
-		NotAfter:     time.Now().Add(60 * time.Minute),
-		SubjectKeyId: []byte{1, 2, 3, 4, 6},
-		ExtKeyUsage:  []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth, x509.ExtKeyUsageServerAuth},
-		KeyUsage:     x509.KeyUsageDigitalSignature,
-		DNSNames:     []string{hostname},
-	}
-
-	certPrivKey, err := rsa.GenerateKey(rand.Reader, 4096)
-	if err != nil {
-		return nil, nil, err
-	}
-
-	certBytes, err := x509.CreateCertificate(
-		rand.Reader,
-		cert,
-		ca,
-		&certPrivKey.PublicKey,
-		caPrivKey,
-	)
-	if err != nil {
-		return nil, nil, err
-	}
-
-	certPEM := new(bytes.Buffer)
-
-	err = pem.Encode(certPEM, &pem.Block{
-		Type:  "CERTIFICATE",
-		Bytes: certBytes,
-	})
-	if err != nil {
-		return nil, nil, err
-	}
-
-	certPrivKeyPEM := new(bytes.Buffer)
-
-	err = pem.Encode(certPrivKeyPEM, &pem.Block{
-		Type:  "RSA PRIVATE KEY",
-		Bytes: x509.MarshalPKCS1PrivateKey(certPrivKey),
-	})
-	if err != nil {
-		return nil, nil, err
-	}
-
-	return certPEM.Bytes(), certPrivKeyPEM.Bytes(), nil
-}
--- a/integration/scenario.go
+++ b/integration/scenario.go
@ -14,7 +14,6 @@ import (
 	v1 "github.com/juanfont/headscale/gen/go/headscale/v1"
 	"github.com/juanfont/headscale/hscontrol/util"
 	"github.com/juanfont/headscale/integration/dockertestutil"
-	"github.com/juanfont/headscale/integration/dsic"
 	"github.com/juanfont/headscale/integration/hsic"
 	"github.com/juanfont/headscale/integration/tsic"
 	"github.com/ory/dockertest/v3"
@ -142,7 +141,6 @@ type Scenario struct {
 	// TODO(kradalby): support multiple headcales for later, currently only
 	// use one.
 	controlServers *xsync.MapOf[string, ControlServer]
-	derpServers    []*dsic.DERPServerInContainer

 	users map[string]*User

@ -227,13 +225,6 @@ func (s *Scenario) ShutdownAssertNoPanics(t *testing.T) {
 		}
 	}

-	for _, derp := range s.derpServers {
-		err := derp.Shutdown()
-		if err != nil {
-			log.Printf("failed to tear down derp server: %s", err)
-		}
-	}
-
 	if err := s.pool.RemoveNetwork(s.network); err != nil {
 		log.Printf("failed to remove network: %s", err)
 	}
@ -362,7 +353,7 @@ func (s *Scenario) CreateTailscaleNodesInUser(
 			hostname := headscale.GetHostname()

 			opts = append(opts,
-				tsic.WithCACert(cert),
+				tsic.WithHeadscaleTLS(cert),
 				tsic.WithHeadscaleName(hostname),
 			)

@ -661,20 +652,3 @@ func (s *Scenario) WaitForTailscaleLogout() error {

 	return nil
 }
-
-// CreateDERPServer creates a new DERP server in a container.
-func (s *Scenario) CreateDERPServer(version string, opts ...dsic.Option) (*dsic.DERPServerInContainer, error) {
-	derp, err := dsic.New(s.pool, version, s.network, opts...)
-	if err != nil {
-		return nil, fmt.Errorf("failed to create DERP server: %w", err)
-	}
-
-	err = derp.WaitForRunning()
-	if err != nil {
-		return nil, fmt.Errorf("failed to reach DERP server: %w", err)
-	}
-
-	s.derpServers = append(s.derpServers, derp)
-
-	return derp, nil
-}
--- a/integration/tailscale.go
+++ b/integration/tailscale.go
@ -30,7 +30,6 @@ type TailscaleClient interface {
 	FQDN() (string, error)
 	Status(...bool) (*ipnstate.Status, error)
 	Netmap() (*netmap.NetworkMap, error)
-	DebugDERPRegion(region string) (*ipnstate.DebugDERPRegionReport, error)
 	Netcheck() (*netcheck.Report, error)
 	WaitForNeedsLogin() error
 	WaitForRunning() error
--- a/integration/tsic/tsic.go
+++ b/integration/tsic/tsic.go
@ -12,7 +12,6 @@ import (
 	"net/netip"
 	"net/url"
 	"os"
-	"reflect"
 	"strconv"
 	"strings"
 	"time"
@ -33,7 +32,7 @@ const (
 	defaultPingTimeout   = 300 * time.Millisecond
 	defaultPingCount     = 10
 	dockerContextPath    = "../."
-	caCertRoot           = "/usr/local/share/ca-certificates"
+	headscaleCertPath    = "/usr/local/share/ca-certificates/headscale.crt"
 	dockerExecuteTimeout = 60 * time.Second
 )

@ -45,11 +44,6 @@ var (
 	errTailscaleCannotUpWithoutAuthkey = errors.New("cannot up without authkey")
 	errTailscaleNotConnected           = errors.New("tailscale not connected")
 	errTailscaledNotReadyForLogin      = errors.New("tailscaled not ready for login")
-	errInvalidClientConfig             = errors.New("verifiably invalid client config requested")
-)
-
-const (
-	VersionHead = "head"
 )

 func errTailscaleStatus(hostname string, err error) error {
@ -71,7 +65,7 @@ type TailscaleInContainer struct {
 	fqdn string

 	// optional config
-	caCerts           [][]byte
+	headscaleCert     []byte
 	headscaleHostname string
 	withWebsocketDERP bool
 	withSSH           bool
@ -80,23 +74,17 @@ type TailscaleInContainer struct {
 	withExtraHosts    []string
 	workdir           string
 	netfilter         string
-
-	// build options, solely for HEAD
-	buildConfig TailscaleInContainerBuildConfig
-}
-
-type TailscaleInContainerBuildConfig struct {
-	tags []string
 }

 // Option represent optional settings that can be given to a
 // Tailscale instance.
 type Option = func(c *TailscaleInContainer)

-// WithCACert adds it to the trusted surtificate of the Tailscale container.
-func WithCACert(cert []byte) Option {
+// WithHeadscaleTLS takes the certificate of the Headscale instance
+// and adds it to the trusted surtificate of the Tailscale container.
+func WithHeadscaleTLS(cert []byte) Option {
 	return func(tsic *TailscaleInContainer) {
-		tsic.caCerts = append(tsic.caCerts, cert)
+		tsic.headscaleCert = cert
 	}
 }

@ -125,7 +113,7 @@ func WithOrCreateNetwork(network *dockertest.Network) Option {
 }

 // WithHeadscaleName set the name of the headscale instance,
-// mostly useful in combination with TLS and WithCACert.
+// mostly useful in combination with TLS and WithHeadscaleTLS.
 func WithHeadscaleName(hsName string) Option {
 	return func(tsic *TailscaleInContainer) {
 		tsic.headscaleHostname = hsName
@ -187,22 +175,6 @@ func WithNetfilter(state string) Option {
 	}
 }

-// WithBuildTag adds an additional value to the `-tags=` parameter
-// of the Go compiler, allowing callers to customize the Tailscale client build.
-// This option is only meaningful when invoked on **HEAD** versions of the client.
-// Attempts to use it with any other version is a bug in the calling code.
-func WithBuildTag(tag string) Option {
-	return func(tsic *TailscaleInContainer) {
-		if tsic.version != VersionHead {
-			panic(errInvalidClientConfig)
-		}
-
-		tsic.buildConfig.tags = append(
-			tsic.buildConfig.tags, tag,
-		)
-	}
-}
-
 // New returns a new TailscaleInContainer instance.
 func New(
 	pool *dockertest.Pool,
@ -247,20 +219,18 @@ func New(
 	}

 	if tsic.withWebsocketDERP {
-		if version != VersionHead {
-			return tsic, errInvalidClientConfig
-		}
-
-		WithBuildTag("ts_debug_websockets")(tsic)
-
 		tailscaleOptions.Env = append(
 			tailscaleOptions.Env,
 			fmt.Sprintf("TS_DEBUG_DERP_WS_CLIENT=%t", tsic.withWebsocketDERP),
 		)
 	}

-	tailscaleOptions.ExtraHosts = append(tailscaleOptions.ExtraHosts,
-		"host.docker.internal:host-gateway")
+	if tsic.headscaleHostname != "" {
+		tailscaleOptions.ExtraHosts = []string{
+			"host.docker.internal:host-gateway",
+			fmt.Sprintf("%s:host-gateway", tsic.headscaleHostname),
+		}
+	}

 	if tsic.workdir != "" {
 		tailscaleOptions.WorkingDir = tsic.workdir
@ -275,36 +245,14 @@ func New(
 	}

 	var container *dockertest.Resource
-
-	if version != VersionHead {
-		// build options are not meaningful with pre-existing images,
-		// let's not lead anyone astray by pretending otherwise.
-		defaultBuildConfig := TailscaleInContainerBuildConfig{}
-		hasBuildConfig := !reflect.DeepEqual(defaultBuildConfig, tsic.buildConfig)
-		if hasBuildConfig {
-			return tsic, errInvalidClientConfig
-		}
-	}
-
 	switch version {
-	case VersionHead:
+	case "head":
 		buildOptions := &dockertest.BuildOptions{
 			Dockerfile: "Dockerfile.tailscale-HEAD",
 			ContextDir: dockerContextPath,
 			BuildArgs:  []docker.BuildArg{},
 		}

-		buildTags := strings.Join(tsic.buildConfig.tags, ",")
-		if len(buildTags) > 0 {
-			buildOptions.BuildArgs = append(
-				buildOptions.BuildArgs,
-				docker.BuildArg{
-					Name:  "BUILD_TAGS",
-					Value: buildTags,
-				},
-			)
-		}
-
 		container, err = pool.BuildAndRunWithBuildOptions(
 			buildOptions,
 			tailscaleOptions,
@ -346,8 +294,8 @@ func New(

 	tsic.container = container

-	for i, cert := range tsic.caCerts {
-		err = tsic.WriteFile(fmt.Sprintf("%s/user-%d.crt", caCertRoot, i), cert)
+	if tsic.hasTLS() {
+		err = tsic.WriteFile(headscaleCertPath, tsic.headscaleCert)
 		if err != nil {
 			return nil, fmt.Errorf("failed to write TLS certificate to container: %w", err)
 		}
@ -356,6 +304,10 @@ func New(
 	return tsic, nil
 }

+func (t *TailscaleInContainer) hasTLS() bool {
+	return len(t.headscaleCert) != 0
+}
+
 // Shutdown stops and cleans up the Tailscale container.
 func (t *TailscaleInContainer) Shutdown() error {
 	err := t.SaveLog("/tmp/control")
@ -730,34 +682,6 @@ func (t *TailscaleInContainer) watchIPN(ctx context.Context) (*ipn.Notify, error
 	}
 }

-func (t *TailscaleInContainer) DebugDERPRegion(region string) (*ipnstate.DebugDERPRegionReport, error) {
-	if !util.TailscaleVersionNewerOrEqual("1.34", t.version) {
-		panic("tsic.DebugDERPRegion() called with unsupported version: " + t.version)
-	}
-
-	command := []string{
-		"tailscale",
-		"debug",
-		"derp",
-		region,
-	}
-
-	result, stderr, err := t.Execute(command)
-	if err != nil {
-		fmt.Printf("stderr: %s\n", stderr) // nolint
-
-		return nil, fmt.Errorf("failed to execute tailscale debug derp command: %w", err)
-	}
-
-	var report ipnstate.DebugDERPRegionReport
-	err = json.Unmarshal([]byte(result), &report)
-	if err != nil {
-		return nil, fmt.Errorf("failed to unmarshal tailscale derp region report: %w", err)
-	}
-
-	return &report, err
-}
-
 // Netcheck returns the current Netcheck Report (netcheck.Report) of the Tailscale instance.
 func (t *TailscaleInContainer) Netcheck() (*netcheck.Report, error) {
 	command := []string{
--- a/mkdocs.yml
+++ b/mkdocs.yml
@ -183,4 +183,3 @@ nav:
      - Integration:
          - Reverse proxy: ref/integration/reverse-proxy.md
          - Web UI: ref/integration/web-ui.md
-          - Tools: ref/integration/tools.md
Author	SHA1	Message	Date
Kristoffer Dalby	ddadb3c0d3	Merge `b25c2c7f09` into `a71a933705`	2024-11-04 10:14:39 -06:00
Kristoffer Dalby	b25c2c7f09	update nix hash Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>	2024-11-04 10:14:30 -06:00
Kristoffer Dalby	1d0768c135	conf Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>	2024-10-24 09:46:46 -05:00
Kristoffer Dalby	67b5528f74	linter fixes Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>	2024-10-24 09:38:33 -05:00