feat: add id token handler

fix: move auth config a level deeper
feat: add support for https certs
2026-04-06 13:02:58 +01:00 · 2022-09-30 16:13:25 +02:00 · 2022-09-30 15:39:19 +02:00 · 2022-09-30 15:31:57 +02:00
27 changed files with 1341 additions and 199 deletions
@@ -10,6 +10,7 @@ require (
 	github.com/coreos/go-oidc/v3 v3.3.0
 	github.com/glebarez/sqlite v1.4.6
 	github.com/go-gormigrate/gormigrate/v2 v2.0.2
+	github.com/golang-jwt/jwt/v4 v4.4.2
 	github.com/google/uuid v1.3.0
 	github.com/hashicorp/go-bexpr v0.1.11
 	github.com/hashicorp/go-hclog v1.3.0
@@ -19,12 +20,17 @@ require (
 	github.com/labstack/echo-contrib v0.13.0
 	github.com/labstack/echo/v4 v4.9.0
 	github.com/lib/pq v1.10.6
+	github.com/libdns/azure v0.2.0
+	github.com/libdns/cloudflare v0.1.0
+	github.com/libdns/digitalocean v0.0.0-20220518195853-a541bc8aa80f
+	github.com/libdns/googleclouddns v1.0.2
+	github.com/libdns/libdns v0.2.1
+	github.com/libdns/route53 v1.2.2
 	github.com/mitchellh/go-homedir v1.1.0
 	github.com/mitchellh/pointerstructure v1.2.1
 	github.com/mr-tron/base58 v1.2.0
 	github.com/muesli/coral v1.0.0
 	github.com/nleeper/goment v1.4.4
-	github.com/pkg/errors v0.9.1
 	github.com/prometheus/client_golang v1.13.0
 	github.com/rodaine/table v1.0.1
 	github.com/sony/sonyflake v1.1.0
@@ -35,6 +41,7 @@ require (
 	golang.org/x/oauth2 v0.0.0-20220822191816-0ebed06d0094
 	golang.org/x/sync v0.0.0-20220819030929-7fc1605a5dde
 	google.golang.org/protobuf v1.28.1
+	gopkg.in/square/go-jose.v2 v2.6.0
 	gopkg.in/yaml.v2 v2.4.0
 	gopkg.in/yaml.v3 v3.0.1
 	gorm.io/driver/postgres v1.3.9
@@ -44,16 +51,45 @@ require (
 )

 require (
+	cloud.google.com/go/compute v1.7.0 // indirect
+	github.com/Azure/azure-sdk-for-go v52.4.0+incompatible // indirect
+	github.com/Azure/go-autorest v14.2.0+incompatible // indirect
+	github.com/Azure/go-autorest/autorest v0.11.17 // indirect
+	github.com/Azure/go-autorest/autorest/adal v0.9.11 // indirect
+	github.com/Azure/go-autorest/autorest/azure/auth v0.5.7 // indirect
+	github.com/Azure/go-autorest/autorest/azure/cli v0.4.2 // indirect
+	github.com/Azure/go-autorest/autorest/date v0.3.0 // indirect
+	github.com/Azure/go-autorest/autorest/to v0.4.0 // indirect
+	github.com/Azure/go-autorest/logger v0.2.0 // indirect
+	github.com/Azure/go-autorest/tracing v0.6.0 // indirect
 	github.com/alexbrainman/sspi v0.0.0-20210105120005-909beea2cc74 // indirect
+	github.com/aws/aws-sdk-go-v2 v1.11.2 // indirect
+	github.com/aws/aws-sdk-go-v2/config v1.11.0 // indirect
+	github.com/aws/aws-sdk-go-v2/credentials v1.6.4 // indirect
+	github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.8.2 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.2 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.0.2 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/ini v1.3.2 // indirect
+	github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.5.2 // indirect
+	github.com/aws/aws-sdk-go-v2/service/route53 v1.12.0 // indirect
+	github.com/aws/aws-sdk-go-v2/service/sso v1.6.2 // indirect
+	github.com/aws/aws-sdk-go-v2/service/sts v1.11.1 // indirect
+	github.com/aws/smithy-go v1.9.0 // indirect
 	github.com/beorn7/perks v1.0.1 // indirect
 	github.com/cespare/xxhash/v2 v2.1.2 // indirect
 	github.com/davecgh/go-spew v1.1.1 // indirect
+	github.com/digitalocean/godo v1.41.0 // indirect
+	github.com/dimchansky/utfbom v1.1.1 // indirect
 	github.com/fatih/color v1.13.0 // indirect
+	github.com/form3tech-oss/jwt-go v3.2.2+incompatible // indirect
 	github.com/glebarez/go-sqlite v1.18.1 // indirect
 	github.com/golang-jwt/jwt v3.2.2+incompatible // indirect
 	github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect
 	github.com/golang/protobuf v1.5.2 // indirect
 	github.com/google/go-cmp v0.5.8 // indirect
+	github.com/google/go-querystring v1.0.0 // indirect
+	github.com/googleapis/enterprise-certificate-proxy v0.0.0-20220520183353-fd19c99a87aa // indirect
+	github.com/googleapis/gax-go/v2 v2.4.0 // indirect
 	github.com/hashicorp/errwrap v1.1.0 // indirect
 	github.com/inconshreveable/mousetrap v1.0.1 // indirect
 	github.com/jackc/chunkreader/v2 v2.0.1 // indirect
@@ -66,11 +102,11 @@ require (
 	github.com/jackc/pgx/v4 v4.17.2 // indirect
 	github.com/jinzhu/inflection v1.0.0 // indirect
 	github.com/jinzhu/now v1.1.5 // indirect
+	github.com/jmespath/go-jmespath v0.4.0 // indirect
 	github.com/josharian/native v1.0.0 // indirect
 	github.com/jsimonetti/rtnetlink v1.2.2 // indirect
 	github.com/klauspost/cpuid/v2 v2.1.1 // indirect
 	github.com/labstack/gommon v0.3.1 // indirect
-	github.com/libdns/libdns v0.2.1 // indirect
 	github.com/mattn/go-colorable v0.1.13 // indirect
 	github.com/mattn/go-isatty v0.0.16 // indirect
 	github.com/matttproud/golang_protobuf_extensions v1.0.1 // indirect
@@ -88,6 +124,7 @@ require (
 	github.com/tkuchiki/go-timezone v0.2.2 // indirect
 	github.com/valyala/bytebufferpool v1.0.0 // indirect
 	github.com/valyala/fasttemplate v1.2.1 // indirect
+	go.opencensus.io v0.23.0 // indirect
 	go.uber.org/atomic v1.10.0 // indirect
 	go.uber.org/multierr v1.8.0 // indirect
 	go.uber.org/zap v1.23.0 // indirect
@@ -100,9 +137,11 @@ require (
 	golang.org/x/time v0.0.0-20220722155302-e5dcc9cfc0b9 // indirect
 	golang.org/x/tools v0.1.12 // indirect
 	golang.zx2c4.com/wireguard/windows v0.4.10 // indirect
+	google.golang.org/api v0.84.0 // indirect
 	google.golang.org/appengine v1.6.7 // indirect
+	google.golang.org/genproto v0.0.0-20220616135557-88e70c0c3a90 // indirect
+	google.golang.org/grpc v1.48.0 // indirect
 	gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c // indirect
-	gopkg.in/square/go-jose.v2 v2.6.0 // indirect
 	modernc.org/libc v1.18.0 // indirect
 	modernc.org/mathutil v1.5.0 // indirect
 	modernc.org/memory v1.3.0 // indirect
@@ -27,6 +27,8 @@ cloud.google.com/go v0.94.1/go.mod h1:qAlAugsXlC+JWO+Bke5vCtc9ONxjQT3drlTTnAplMW
 cloud.google.com/go v0.97.0/go.mod h1:GF7l59pYBVlXQIBLx3a761cZ41F9bBH3JUlihCt2Udc=
 cloud.google.com/go v0.99.0/go.mod h1:w0Xx2nLzqWJPuozYQX+hFfCSI8WioryfRDzkoI/Y2ZA=
 cloud.google.com/go v0.100.2/go.mod h1:4Xra9TjzAeYHrl5+oeLlzbM2k3mjVhZh4UqTZ//w99A=
+cloud.google.com/go v0.101.1/go.mod h1:55HwjsGW4CHD3JrNuMdZtSDsgTs0CuCB/bBTugD+7AA=
+cloud.google.com/go v0.102.0 h1:DAq3r8y4mDgyB/ZPJ9v/5VJNqjgJAxTn6ZYLlUywOu8=
 cloud.google.com/go v0.102.0/go.mod h1:oWcCzKlqJ5zgHQt9YsaeTY9KzIvjyy0ArmiBUgpQ+nc=
 cloud.google.com/go/bigquery v1.0.1/go.mod h1:i/xbL2UlR5RvWAURpBYZTtm/cXjCha9lbfbpx4poX+o=
 cloud.google.com/go/bigquery v1.3.0/go.mod h1:PjpwJnslEMmckchkHFfq+HTD2DmtT67aNFKH1/VBDHE=
@@ -39,6 +41,7 @@ cloud.google.com/go/compute v1.3.0/go.mod h1:cCZiE1NHEtai4wiufUhW8I8S1JKkAnhnQJW
 cloud.google.com/go/compute v1.5.0/go.mod h1:9SMHyhJlzhlkJqrPAc839t2BZFTSk6Jdj6mkzQJeu0M=
 cloud.google.com/go/compute v1.6.0/go.mod h1:T29tfhtVbq1wvAPo0E3+7vhgmkOYeXjhFvz/FMzPu0s=
 cloud.google.com/go/compute v1.6.1/go.mod h1:g85FgpzFvNULZ+S8AYq87axRKuf2Kh7deLqV/jJ3thU=
+cloud.google.com/go/compute v1.7.0 h1:v/k9Eueb8aAJ0vZuxKMrgm6kPhCLZU9HxFU+AFDs9Uk=
 cloud.google.com/go/compute v1.7.0/go.mod h1:435lt8av5oL9P3fv1OEzSbSUe+ybHXGMPQHHZWZxy9U=
 cloud.google.com/go/datastore v1.0.0/go.mod h1:LXYbyblFSglQ5pkeyhO+Qmw7ukd3C+pD7TKLgZqpHYE=
 cloud.google.com/go/datastore v1.1.0/go.mod h1:umbIZjpQpHh4hmRpGhH4tLFup+FVzqBi1b3c64qFpCk=
@@ -52,9 +55,33 @@ cloud.google.com/go/storage v1.5.0/go.mod h1:tpKbwo567HUNpVclU5sGELwQWBDZ8gh0Zeo
 cloud.google.com/go/storage v1.6.0/go.mod h1:N7U0C8pVQ/+NIKOBQyamJIeKQKkZ+mxpohlUTyfDhBk=
 cloud.google.com/go/storage v1.8.0/go.mod h1:Wv1Oy7z6Yz3DshWRJFhqM/UCfaWIRTdp0RXyy7KQOVs=
 cloud.google.com/go/storage v1.10.0/go.mod h1:FLPqc6j+Ki4BU591ie1oL6qBQGu2Bl/tZ9ullr3+Kg0=
+cloud.google.com/go/storage v1.22.0/go.mod h1:GbaLEoMqbVm6sx3Z0R++gSiBlgMv6yUi2q1DeGFKQgE=
 cloud.google.com/go/storage v1.22.1/go.mod h1:S8N1cAStu7BOeFfE8KAQzmyyLkK8p/vmRq6kuBTW58Y=
 dmitri.shuralyov.com/gpu/mtl v0.0.0-20190408044501-666a987793e9/go.mod h1:H6x//7gZCb22OMCxBHrMx7a5I7Hp++hsVxbQ4BYO7hU=
 filippo.io/mkcert v1.4.3 h1:axpnmtrZMM8u5Hf4N3UXxboGemMOV+Tn+e+pkHM6E3o=
+github.com/Azure/azure-sdk-for-go v52.4.0+incompatible h1:NpkT8MjJJMcgPJ5Q9E66QUgY9QRyxqM8MFx2P29uQZ4=
+github.com/Azure/azure-sdk-for-go v52.4.0+incompatible/go.mod h1:9XXNKU+eRnpl9moKnB4QOLf1HestfXbmab5FXxiDBjc=
+github.com/Azure/go-autorest v14.2.0+incompatible h1:V5VMDjClD3GiElqLWO7mz2MxNAK/vTfRHdAubSIPRgs=
+github.com/Azure/go-autorest v14.2.0+incompatible/go.mod h1:r+4oMnoxhatjLLJ6zxSWATqVooLgysK6ZNox3g/xq24=
+github.com/Azure/go-autorest/autorest v0.11.17 h1:2zCdHwNgRH+St1J+ZMf66xI8aLr/5KMy+wWLH97zwYM=
+github.com/Azure/go-autorest/autorest v0.11.17/go.mod h1:eipySxLmqSyC5s5k1CLupqet0PSENBEDP93LQ9a8QYw=
+github.com/Azure/go-autorest/autorest/adal v0.9.5/go.mod h1:B7KF7jKIeC9Mct5spmyCB/A8CG/sEz1vwIRGv/bbw7A=
+github.com/Azure/go-autorest/autorest/adal v0.9.11 h1:L4/pmq7poLdsy41Bj1FayKvBhayuWRYkx9HU5i4Ybl0=
+github.com/Azure/go-autorest/autorest/adal v0.9.11/go.mod h1:nBKAnTomx8gDtl+3ZCJv2v0KACFHWTB2drffI1B68Pk=
+github.com/Azure/go-autorest/autorest/azure/auth v0.5.7 h1:8DQB8yl7aLQuP+nuR5e2RO6454OvFlSTXXaNHshc16s=
+github.com/Azure/go-autorest/autorest/azure/auth v0.5.7/go.mod h1:AkzUsqkrdmNhfP2i54HqINVQopw0CLDnvHpJ88Zz1eI=
+github.com/Azure/go-autorest/autorest/azure/cli v0.4.2 h1:dMOmEJfkLKW/7JsokJqkyoYSgmR08hi9KrhjZb+JALY=
+github.com/Azure/go-autorest/autorest/azure/cli v0.4.2/go.mod h1:7qkJkT+j6b+hIpzMOwPChJhTqS8VbsqqgULzMNRugoM=
+github.com/Azure/go-autorest/autorest/date v0.3.0 h1:7gUk1U5M/CQbp9WoqinNzJar+8KY+LPI6wiWrP/myHw=
+github.com/Azure/go-autorest/autorest/date v0.3.0/go.mod h1:BI0uouVdmngYNUzGWeSYnokU+TrmwEsOqdt8Y6sso74=
+github.com/Azure/go-autorest/autorest/mocks v0.4.1 h1:K0laFcLE6VLTOwNgSxaGbUcLPuGXlNkbVvq4cW4nIHk=
+github.com/Azure/go-autorest/autorest/mocks v0.4.1/go.mod h1:LTp+uSrOhSkaKrUy935gNZuuIPPVsHlr9DSOxSayd+k=
+github.com/Azure/go-autorest/autorest/to v0.4.0 h1:oXVqrxakqqV1UZdSazDOPOLvOIz+XA683u8EctwboHk=
+github.com/Azure/go-autorest/autorest/to v0.4.0/go.mod h1:fE8iZBn7LQR7zH/9XU2NcPR4o9jEImooCeWJcYV/zLE=
+github.com/Azure/go-autorest/logger v0.2.0 h1:e4RVHVZKC5p6UANLJHkM4OfR1UKZPj8Wt8Pcx+3oqrE=
+github.com/Azure/go-autorest/logger v0.2.0/go.mod h1:T9E3cAhj2VqvPOtCYAvby9aBXkZmbF5NWuPV8+WeEW8=
+github.com/Azure/go-autorest/tracing v0.6.0 h1:TYi4+3m5t6K48TGI9AUdb+IzbnSxvnvUMfuitfgcfuo=
+github.com/Azure/go-autorest/tracing v0.6.0/go.mod h1:+vhtPC754Xsa23ID7GlGsrdKBpUA79WCAKPPZVC2DeU=
 github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU=
 github.com/BurntSushi/toml v1.1.0 h1:ksErzDEI1khOiGPgpwuI7x2ebx/uXQNw7xJpn9Eq1+I=
 github.com/BurntSushi/xgb v0.0.0-20160522181843-27f122750802/go.mod h1:IVnqGOEym/WlBOVXweHU+Q+/VP0lqqI8lqeDx9IjBqo=
@@ -73,6 +100,39 @@ github.com/antihax/optional v1.0.0/go.mod h1:uupD/76wgC+ih3iEmQUL+0Ugr19nfwCT1kd
 github.com/apparentlymart/go-cidr v1.1.0 h1:2mAhrMoF+nhXqxTzSZMUzDHkLjmIHC+Zzn4tdgBZjnU=
 github.com/apparentlymart/go-cidr v1.1.0/go.mod h1:EBcsNrHc3zQeuaeCeCtQruQm+n9/YjEn/vI25Lg7Gwc=
 github.com/appleboy/gofight/v2 v2.1.2 h1:VOy3jow4vIK8BRQJoC/I9muxyYlJ2yb9ht2hZoS3rf4=
+github.com/aws/aws-sdk-go-v2 v1.10.0/go.mod h1:U/EyyVvKtzmFeQQcca7eBotKdlpcP2zzU6bXBYcf7CE=
+github.com/aws/aws-sdk-go-v2 v1.11.2 h1:SDiCYqxdIYi6HgQfAWRhgdZrdnOuGyLDJVRSWLeHWvs=
+github.com/aws/aws-sdk-go-v2 v1.11.2/go.mod h1:SQfA+m2ltnu1cA0soUkj4dRSsmITiVQUJvBIZjzfPyQ=
+github.com/aws/aws-sdk-go-v2/config v1.9.0/go.mod h1:qhK5NNSgo9/nOSMu3HyE60WHXZTWTHTgd5qtIF44vOQ=
+github.com/aws/aws-sdk-go-v2/config v1.11.0 h1:Czlld5zBB61A3/aoegA9/buZulwL9mHHfizh/Oq+Kqs=
+github.com/aws/aws-sdk-go-v2/config v1.11.0/go.mod h1:VrQDJGFBM5yZe+IOeenNZ/DWoErdny+k2MHEIpwDsEY=
+github.com/aws/aws-sdk-go-v2/credentials v1.5.0/go.mod h1:kvqTkpzQmzri9PbsiTY+LvwFzM0gY19emlAWwBOJMb0=
+github.com/aws/aws-sdk-go-v2/credentials v1.6.4 h1:2hvbUoHufns0lDIsaK8FVCMukT1WngtZPavN+W2FkSw=
+github.com/aws/aws-sdk-go-v2/credentials v1.6.4/go.mod h1:tTrhvBPHyPde4pdIPSba4Nv7RYr4wP9jxXEDa1bKn/8=
+github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.7.0/go.mod h1:KqEkRkxm/+1Pd/rENRNbQpfblDBYeg5HDSqjB6ks8hA=
+github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.8.2 h1:KiN5TPOLrEjbGCvdTQR4t0U4T87vVwALZ5Bg3jpMqPY=
+github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.8.2/go.mod h1:dF2F6tXEOgmW5X1ZFO/EPtWrcm7XkW07KNcJUGNtt4s=
+github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.2 h1:XJLnluKuUxQG255zPNe+04izXl7GSyUVafIsgfv9aw4=
+github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.2/go.mod h1:SgKKNBIoDC/E1ZCDhhMW3yalWjwuLjMcpLzsM/QQnWo=
+github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.0.2 h1:EauRoYZVNPlidZSZJDscjJBQ22JhVF2+tdteatax2Ak=
+github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.0.2/go.mod h1:xT4XX6w5Sa3dhg50JrYyy3e4WPYo/+WjY/BXtqXVunU=
+github.com/aws/aws-sdk-go-v2/internal/ini v1.2.5/go.mod h1:6ZBTuDmvpCOD4Sf1i2/I3PgftlEcDGgvi8ocq64oQEg=
+github.com/aws/aws-sdk-go-v2/internal/ini v1.3.2 h1:IQup8Q6lorXeiA/rK72PeToWoWK8h7VAPgHNWdSrtgE=
+github.com/aws/aws-sdk-go-v2/internal/ini v1.3.2/go.mod h1:VITe/MdW6EMXPb0o0txu/fsonXbMHUU2OC2Qp7ivU4o=
+github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.4.0/go.mod h1:X5/JuOxPLU/ogICgDTtnpfaQzdQJO0yKDcpoxWLLJ8Y=
+github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.5.2 h1:CKdUNKmuilw/KNmO2Q53Av8u+ZyXMC2M9aX8Z+c/gzg=
+github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.5.2/go.mod h1:FgR1tCsn8C6+Hf+N5qkfrE4IXvUL1RgW87sunJ+5J4I=
+github.com/aws/aws-sdk-go-v2/service/route53 v1.12.0 h1:XNmW6Z/l4NL/Glz76gqAb6WOgdSYC2a1T0YBBEHfQ58=
+github.com/aws/aws-sdk-go-v2/service/route53 v1.12.0/go.mod h1:LbPVLMeOEGLIW54yuMayW70DcTtsb+17ekL5j48deF4=
+github.com/aws/aws-sdk-go-v2/service/sso v1.5.0/go.mod h1:GsqaJOJeOfeYD88/2vHWKXegvDRofDqWwC5i48A2kgs=
+github.com/aws/aws-sdk-go-v2/service/sso v1.6.2 h1:2IDmvSb86KT44lSg1uU4ONpzgWLOuApRl6Tg54mZ6Dk=
+github.com/aws/aws-sdk-go-v2/service/sso v1.6.2/go.mod h1:KnIpszaIdwI33tmc/W/GGXyn22c1USYxA/2KyvoeDY0=
+github.com/aws/aws-sdk-go-v2/service/sts v1.8.0/go.mod h1:dOlm91B439le5y1vtPCk5yJtbx3RdT3hRGYRY8TYKvQ=
+github.com/aws/aws-sdk-go-v2/service/sts v1.11.1 h1:QKR7wy5e650q70PFKMfGF9sTo0rZgUevSSJ4wxmyWXk=
+github.com/aws/aws-sdk-go-v2/service/sts v1.11.1/go.mod h1:UV2N5HaPfdbDpkgkz4sRzWCvQswZjdO1FfqCWl0t7RA=
+github.com/aws/smithy-go v1.8.1/go.mod h1:SObp3lf9smib00L/v3U2eAKG8FyQ7iLrJnQiAmR5n+E=
+github.com/aws/smithy-go v1.9.0 h1:c7FUdEqrQA1/UVKKCNDFQPNKGp4FQg3YW4Ck5SLTG58=
+github.com/aws/smithy-go v1.9.0/go.mod h1:SObp3lf9smib00L/v3U2eAKG8FyQ7iLrJnQiAmR5n+E=
 github.com/benbjohnson/clock v1.1.0 h1:Q92kusRqC1XV2MjkWETPvjJVqKetz1OzxZB7mHJLju8=
 github.com/benbjohnson/clock v1.1.0/go.mod h1:J11/hYXuz8f4ySSvYwY0FKfm+ezbsZBKZxNJlLklBHA=
 github.com/beorn7/perks v0.0.0-20180321164747-3a771d992973/go.mod h1:Dwedo/Wpr24TaqPxmxbtue+5NUziq4I4S80YR8gNf3Q=
@@ -118,6 +178,11 @@ github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSs
 github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/denisenkom/go-mssqldb v0.12.0 h1:VtrkII767ttSPNRfFekePK3sctr+joXgO58stqQbtUA=
+github.com/digitalocean/godo v1.41.0 h1:WYy7MIVVhTMZUNB+UA3irl2V9FyDJeDttsifYyn7jYA=
+github.com/digitalocean/godo v1.41.0/go.mod h1:p7dOjjtSBqCTUksqtA5Fd3uaKs9kyTq2xcz76ulEJRU=
+github.com/dimchansky/utfbom v1.1.0/go.mod h1:rO41eb7gLfo8SF1jd9F8HplJm1Fewwi4mQvIirEdv+8=
+github.com/dimchansky/utfbom v1.1.1 h1:vV6w1AhK4VMnhBno/TPVCoK9U/LP0PkLCS9tbxHdi/U=
+github.com/dimchansky/utfbom v1.1.1/go.mod h1:SxdoEBH5qIqFocHMyGOXVAybYJdr71b1Q/j0mACtrfE=
 github.com/dustin/go-humanize v1.0.0/go.mod h1:HtrtbFcZ19U5GC7JDqmcUSB87Iq5E25KnS6fMYU6eOk=
 github.com/dvyukov/go-fuzz v0.0.0-20210103155950-6a8e9d1f2415/go.mod h1:11Gm+ccJnvAhCNLlf5+cS9KjtbaD5I5zaZpFMsTHWTw=
 github.com/envoyproxy/go-control-plane v0.9.0/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4=
@@ -132,6 +197,8 @@ github.com/envoyproxy/go-control-plane v0.10.2-0.20220325020618-49ff273808a1/go.
 github.com/envoyproxy/protoc-gen-validate v0.1.0/go.mod h1:iSmxcyjqTsJpI2R4NaDN7+kN2VEUnK/pcBlmesArF7c=
 github.com/fatih/color v1.13.0 h1:8LOYc1KYPPmyKMuN8QV2DNRWNbLo6LZ0iLs8+mlH53w=
 github.com/fatih/color v1.13.0/go.mod h1:kLAiJbzzSOZDVNGyDpeOxJ47H46qBXwg5ILebYFFOfk=
+github.com/form3tech-oss/jwt-go v3.2.2+incompatible h1:TcekIExNqud5crz4xD2pavyTgWiPvpYe4Xau31I0PRk=
+github.com/form3tech-oss/jwt-go v3.2.2+incompatible/go.mod h1:pbq4aXjuKjdthFRnoDwaVPLA+WlJuPGy+QneDUgJi2k=
 github.com/frankban/quicktest v1.14.0 h1:+cqqvzZV87b4adx/5ayVOaYZ2CrvM4ejQvUdBzPPUss=
 github.com/frankban/quicktest v1.14.0/go.mod h1:NeW+ay9A/U67EYXNFA1nPE8e/tnQv/09mUdL/ijj8og=
 github.com/ghodss/yaml v1.0.0/go.mod h1:4dBDuWmgqj2HViK6kFavaiC9ZROes6MMH2rRYeMEF04=
@@ -177,6 +244,8 @@ github.com/gofrs/uuid v4.0.0+incompatible/go.mod h1:b2aQJv3Z4Fp6yNu3cdSllBxTCLRx
 github.com/gogo/protobuf v1.1.1/go.mod h1:r8qH/GZQm5c6nD/R0oafs1akxWv10x8SbQlK7atdtwQ=
 github.com/golang-jwt/jwt v3.2.2+incompatible h1:IfV12K8xAKAnZqdXVzCZ+TOjboZ2keLg81eXfW3O+oY=
 github.com/golang-jwt/jwt v3.2.2+incompatible/go.mod h1:8pz2t5EyA70fFQQSrl6XZXzqecmYZeUEB8OUGHkxJ+I=
+github.com/golang-jwt/jwt/v4 v4.4.2 h1:rcc4lwaZgFMCZ5jxF9ABolDcIHdBytAFgqFPbSJQAYs=
+github.com/golang-jwt/jwt/v4 v4.4.2/go.mod h1:m21LjoU+eqJr34lmDMbreY2eSTRJ1cv77w39/MY0Ch0=
 github.com/golang-sql/civil v0.0.0-20190719163853-cb61b32ac6fe h1:lXe2qZdvpiX5WZkZR4hgp4KJVfY3nMkvmwbVkpv1rVY=
 github.com/golang-sql/sqlexp v0.0.0-20170517235910-f1bb20e5a188 h1:+eHOFJl1BaXrQxKX+T06f78590z4qA2ZzBTqahsKSE4=
 github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q=
@@ -230,11 +299,16 @@ github.com/google/go-cmp v0.5.6/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/
 github.com/google/go-cmp v0.5.7/go.mod h1:n+brtR0CgQNWTVd5ZUFpTBC8YFBDLK/h/bpaJ8/DtOE=
 github.com/google/go-cmp v0.5.8 h1:e6P7q2lk1O+qJJb4BtCQXlK8vWEO8V1ZeuEdJNOqZyg=
 github.com/google/go-cmp v0.5.8/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
+github.com/google/go-querystring v1.0.0 h1:Xkwi/a1rcvNg1PPYe5vI8GbeBY/jrVuDX5ASuANWTrk=
+github.com/google/go-querystring v1.0.0/go.mod h1:odCYkC5MyYFN7vkCjXpyrEuKhc/BUO6wN/zVPAxq5ck=
 github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
+github.com/google/martian v2.1.0+incompatible h1:/CP5g8u/VJHijgedC/Legn3BAbAaWPgecwXBIDzw5no=
 github.com/google/martian v2.1.0+incompatible/go.mod h1:9I4somxYTbIHy5NJKHRl3wXiIaQGbYVAs8BPL6v8lEs=
 github.com/google/martian/v3 v3.0.0/go.mod h1:y5Zk1BBys9G+gd6Jrk0W3cC1+ELVxBWuIGO+w/tUAp0=
 github.com/google/martian/v3 v3.1.0/go.mod h1:y5Zk1BBys9G+gd6Jrk0W3cC1+ELVxBWuIGO+w/tUAp0=
 github.com/google/martian/v3 v3.2.1/go.mod h1:oBOf6HBosgwRXnUGWUB05QECsc6uvmMiJ3+6W4l/CUk=
+github.com/google/martian/v3 v3.3.2 h1:IqNFLAmvJOgVlpdEBiQbDc2EwKW77amAycfTuWKdfvw=
+github.com/google/martian/v3 v3.3.2/go.mod h1:oBOf6HBosgwRXnUGWUB05QECsc6uvmMiJ3+6W4l/CUk=
 github.com/google/pprof v0.0.0-20181206194817-3ea8567a2e57/go.mod h1:zfwlbNMJ+OItoe0UupaVj+oy1omPYYDuagoSzA8v9mc=
 github.com/google/pprof v0.0.0-20190515194954-54271f7e092f/go.mod h1:zfwlbNMJ+OItoe0UupaVj+oy1omPYYDuagoSzA8v9mc=
 github.com/google/pprof v0.0.0-20191218002539-d4f498aebedc/go.mod h1:ZgVRPoUq/hfqzAqh7sHMqb3I9Rq5C59dIz2SbBwJ4eM=
@@ -253,6 +327,7 @@ github.com/google/renameio v0.1.0/go.mod h1:KWCgfxg9yswjAJkECMjeO8J8rahYeXnNhOm4
 github.com/google/uuid v1.1.2/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
 github.com/google/uuid v1.3.0 h1:t6JiXgmwXMjEs8VusXIJk2BXHsn+wx8BZdTaoZ5fu7I=
 github.com/google/uuid v1.3.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
+github.com/googleapis/enterprise-certificate-proxy v0.0.0-20220520183353-fd19c99a87aa h1:7MYGT2XEMam7Mtzv1yDUYXANedWvwk3HKkR3MyGowy8=
 github.com/googleapis/enterprise-certificate-proxy v0.0.0-20220520183353-fd19c99a87aa/go.mod h1:17drOmN3MwGY7t0e+Ei9b45FFGA3fBs3x36SsCg1hq8=
 github.com/googleapis/gax-go/v2 v2.0.4/go.mod h1:0Wqv26UfaUD9n4G6kQubkQ+KchISgw+vpHVxEJEs9eg=
 github.com/googleapis/gax-go/v2 v2.0.5/go.mod h1:DWXyrwAJ9X0FpwwEdw+IPEYBICEFu5mhpdKc/us6bOk=
@@ -260,6 +335,7 @@ github.com/googleapis/gax-go/v2 v2.1.0/go.mod h1:Q3nei7sK6ybPYH7twZdmQpAd1MKb7pf
 github.com/googleapis/gax-go/v2 v2.1.1/go.mod h1:hddJymUZASv3XPyGkUpKj8pPO47Rmb0eJc8R6ouapiM=
 github.com/googleapis/gax-go/v2 v2.2.0/go.mod h1:as02EH8zWkzwUoLbBaFeQ+arQaj/OthfcblKl4IGNaM=
 github.com/googleapis/gax-go/v2 v2.3.0/go.mod h1:b8LNqSzNabLiUpXKkY7HAR5jr6bIT99EXz9pXxye9YM=
+github.com/googleapis/gax-go/v2 v2.4.0 h1:dS9eYAjhrE2RjmzYw2XAPvcXfmcQLtFEQWn0CR82awk=
 github.com/googleapis/gax-go/v2 v2.4.0/go.mod h1:XOTVJ59hdnfJLIP/dh8n5CGryZR2LxK9wbMD5+iXC6c=
 github.com/googleapis/go-type-adapters v1.0.0/go.mod h1:zHW75FOG2aur7gAO2B+MLby+cLsWGBF62rFAi7WjWO4=
 github.com/gorilla/websocket v1.4.1 h1:q7AeDBpnBk8AogcD4DSag/Ukw/KV+YhzLj2bP5HvKCM=
@@ -340,6 +416,10 @@ github.com/jinzhu/inflection v1.0.0/go.mod h1:h+uFLlag+Qp1Va5pdKtLDYj+kHp5pxUVkr
 github.com/jinzhu/now v1.1.4/go.mod h1:d3SSVoowX0Lcu0IBviAWJpolVfI5UJVZZ7cO71lE/z8=
 github.com/jinzhu/now v1.1.5 h1:/o9tlHleP7gOFmsnYNz3RGnqzefHA47wQpKrrdTIwXQ=
 github.com/jinzhu/now v1.1.5/go.mod h1:d3SSVoowX0Lcu0IBviAWJpolVfI5UJVZZ7cO71lE/z8=
+github.com/jmespath/go-jmespath v0.4.0 h1:BEgLn5cpjn8UN1mAw4NjwDrS35OdebyEtFe+9YPoQUg=
+github.com/jmespath/go-jmespath v0.4.0/go.mod h1:T8mJZnbsbmF+m6zOOFylbeCJqk5+pHWvzYPziyZiYoo=
+github.com/jmespath/go-jmespath/internal/testify v1.5.1 h1:shLQSRRSCCPj3f2gpwzGwWFoC7ycTf1rcQZHOlsJ6N8=
+github.com/jmespath/go-jmespath/internal/testify v1.5.1/go.mod h1:L3OGu8Wl2/fWfCI6z80xFu9LTZmf1ZRjMHUOPmWr69U=
 github.com/joho/godotenv v1.4.0 h1:3l4+N6zfMWnkbPEXKng2o2/MR5mSwTrBih4ZEkkz1lg=
 github.com/josharian/native v1.0.0 h1:Ts/E8zCSEsG17dUqv7joXJFybuMLjQfWE04tsBODTxk=
 github.com/josharian/native v1.0.0/go.mod h1:7X/raswPFr05uY3HiLlYeyQntB6OO7E/d2Cu7qoaN2w=
@@ -390,8 +470,19 @@ github.com/lib/pq v1.2.0/go.mod h1:5WUZQaWbwv1U+lTReE5YruASi9Al49XbQIvNi/34Woo=
 github.com/lib/pq v1.10.2/go.mod h1:AlVN5x4E4T544tWzH6hKfbfQvm3HdbOxrmggDNAPY9o=
 github.com/lib/pq v1.10.6 h1:jbk+ZieJ0D7EVGJYpL9QTz7/YW6UHbmdnZWYyK5cdBs=
 github.com/lib/pq v1.10.6/go.mod h1:AlVN5x4E4T544tWzH6hKfbfQvm3HdbOxrmggDNAPY9o=
+github.com/libdns/azure v0.2.0 h1:SVYG+iMKtSpSJZBZ0hjETAMNscPoWRMJI7nnlLonwD4=
+github.com/libdns/azure v0.2.0/go.mod h1:vu7sD/dXAExlzdne/OTPKTEOXOpDUxPuAKQwqzUT8nk=
+github.com/libdns/cloudflare v0.1.0 h1:93WkJaGaiXCe353LHEP36kAWCUw0YjFqwhkBkU2/iic=
+github.com/libdns/cloudflare v0.1.0/go.mod h1:a44IP6J1YH6nvcNl1PverfJviADgXUnsozR3a7vBKN8=
+github.com/libdns/digitalocean v0.0.0-20220518195853-a541bc8aa80f h1:Y0JkwI0Uip+Zrh71aHLmNz150cKnWuC+535v/zLS8zo=
+github.com/libdns/digitalocean v0.0.0-20220518195853-a541bc8aa80f/go.mod h1:B2TChhOTxvBflpRTHlguXWtwa1Ha5WI6JkB6aCViM+0=
+github.com/libdns/googleclouddns v1.0.2 h1:r7zZKDlMUglvOT6hmpZuMmxld8KpddbsVhEETEHRjjg=
+github.com/libdns/googleclouddns v1.0.2/go.mod h1:Qogt1qOp5teTZAyiKfkhBzI5Ri+6Z/XA16y6eJz2veA=
+github.com/libdns/libdns v0.2.0/go.mod h1:yQCXzk1lEZmmCPa857bnk4TsOiqYasqpyOEeSObbb40=
 github.com/libdns/libdns v0.2.1 h1:Wu59T7wSHRgtA0cfxC+n1c/e+O3upJGWytknkmFEDis=
 github.com/libdns/libdns v0.2.1/go.mod h1:yQCXzk1lEZmmCPa857bnk4TsOiqYasqpyOEeSObbb40=
+github.com/libdns/route53 v1.2.2 h1:ZnlxO2w8ftO/aR0PNRRB8lrG6AcKPOl/H0vU8mb/Ixo=
+github.com/libdns/route53 v1.2.2/go.mod h1:Vu827KwORxYR2I6iGsu8IKh4MESliECL7VA4pAsn95o=
 github.com/lxn/walk v0.0.0-20210112085537-c389da54e794/go.mod h1:E23UucZGqpuUANJooIbHWCufXvOcT6E7Stq81gU+CSQ=
 github.com/lxn/win v0.0.0-20210218163916-a377121e959e/go.mod h1:KxxjdtRkfNoYDCUP5ryK7XJJNTnpC8atvtmTheChOtk=
 github.com/mattn/go-colorable v0.1.1/go.mod h1:FuOcm+DKB9mbwrcAfNl7/TZVBZ6rcnceauSikq3lYCQ=
@@ -541,6 +632,7 @@ go.opencensus.io v0.22.2/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw=
 go.opencensus.io v0.22.3/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw=
 go.opencensus.io v0.22.4/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw=
 go.opencensus.io v0.22.5/go.mod h1:5pWMHQbX5EPX2/62yrJeAkowc+lfs/XD7Uxpq3pI6kk=
+go.opencensus.io v0.23.0 h1:gqCw0LfLxScz8irSi8exQc7fyQ0fKQU/qnC/X8+V/1M=
 go.opencensus.io v0.23.0/go.mod h1:XItmlyltB5F7CS4xOC1DcqMoFqwtC6OG2xF7mCv7P7E=
 go.opentelemetry.io/proto/otlp v0.7.0/go.mod h1:PqfVotwruBrMGOCsRd/89rSnXhoiJIqeYNgFYFoEGnI=
 go.uber.org/atomic v1.3.2/go.mod h1:gD2HeocX3+yG+ygLZcrzQJaqmWj9AIm7n08wl/qW/PE=
@@ -582,7 +674,9 @@ golang.org/x/crypto v0.0.0-20190605123033-f99c8df09eb5/go.mod h1:yigFU9vqHzYiE8U
 golang.org/x/crypto v0.0.0-20190820162420-60c769a6c586/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
+golang.org/x/crypto v0.0.0-20201002170205-7f63de1d35b0/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
 golang.org/x/crypto v0.0.0-20201203163018-be400aefbc4c/go.mod h1:jdWPYTVW3xRLrWPugEBEK3UY2ZEsg3UU495nc5E+M+I=
+golang.org/x/crypto v0.0.0-20201221181555-eec23a3978ad/go.mod h1:jdWPYTVW3xRLrWPugEBEK3UY2ZEsg3UU495nc5E+M+I=
 golang.org/x/crypto v0.0.0-20210220033148-5ea612d1eb83/go.mod h1:jdWPYTVW3xRLrWPugEBEK3UY2ZEsg3UU495nc5E+M+I=
 golang.org/x/crypto v0.0.0-20210616213533-5ff15b29337e/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
 golang.org/x/crypto v0.0.0-20210711020723-a769d52b0f97/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
@@ -891,6 +985,7 @@ golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8T
 golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20220411194840-2f41105eb62f/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20220517211312-f3a8303e98df/go.mod h1:K8+ghG5WaK9qNqU5K3HdILfMLy1f3aNYFI/wnl100a8=
+golang.org/x/xerrors v0.0.0-20220609144429-65e65417b02f h1:uF6paiQQebLeSXkrTqHqz0MXhXXS1KgF41eUdBNvxK0=
 golang.org/x/xerrors v0.0.0-20220609144429-65e65417b02f/go.mod h1:K8+ghG5WaK9qNqU5K3HdILfMLy1f3aNYFI/wnl100a8=
 golang.zx2c4.com/wireguard v0.0.0-20210905140043-2ef39d47540c/go.mod h1:laHzsbfMhGSobUmruXWAyMKKHSqvIcrqZJMyHD+/3O8=
 golang.zx2c4.com/wireguard/windows v0.4.10 h1:HmjzJnb+G4NCdX+sfjsQlsxGPuYaThxRbZUZFLyR0/s=
@@ -931,8 +1026,10 @@ google.golang.org/api v0.70.0/go.mod h1:Bs4ZM2HGifEvXwd50TtW70ovgJffJYw2oRCOFU/S
 google.golang.org/api v0.71.0/go.mod h1:4PyU6e6JogV1f9eA4voyrTY2batOLdgZ5qZ5HOCc4j8=
 google.golang.org/api v0.74.0/go.mod h1:ZpfMZOVRMywNyvJFeqL9HRWBgAuRfSjJFpe9QtRRyDs=
 google.golang.org/api v0.75.0/go.mod h1:pU9QmyHLnzlpar1Mjt4IbapUCy8J+6HD6GeELN69ljA=
+google.golang.org/api v0.77.0/go.mod h1:pU9QmyHLnzlpar1Mjt4IbapUCy8J+6HD6GeELN69ljA=
 google.golang.org/api v0.78.0/go.mod h1:1Sg78yoMLOhlQTeF+ARBoytAcH1NNyyl390YMy6rKmw=
 google.golang.org/api v0.80.0/go.mod h1:xY3nI94gbvBrE0J6NHXhxOmW97HG7Khjkku6AFB3Hyg=
+google.golang.org/api v0.84.0 h1:NMB9J4cCxs9xEm+1Z9QiO3eFvn7EnQj3Eo3hN6ugVlg=
 google.golang.org/api v0.84.0/go.mod h1:NTsGnUFJMYROtiquksZHBWtHfeMC7iYthki7Eq3pa8o=
 google.golang.org/appengine v1.1.0/go.mod h1:EbEs0AVv82hx2wNQdGPgUI5lhzA/G0D9YwlJXL52JkM=
 google.golang.org/appengine v1.4.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4=
@@ -1010,15 +1107,18 @@ google.golang.org/genproto v0.0.0-20220222213610-43724f9ea8cf/go.mod h1:kGP+zUP2
 google.golang.org/genproto v0.0.0-20220304144024-325a89244dc8/go.mod h1:kGP+zUP2Ddo0ayMi4YuN7C3WZyJvGLZRh8Z5wnAqvEI=
 google.golang.org/genproto v0.0.0-20220310185008-1973136f34c6/go.mod h1:kGP+zUP2Ddo0ayMi4YuN7C3WZyJvGLZRh8Z5wnAqvEI=
 google.golang.org/genproto v0.0.0-20220324131243-acbaeb5b85eb/go.mod h1:hAL49I2IFola2sVEjAn7MEwsja0xp51I0tlGAf9hz4E=
+google.golang.org/genproto v0.0.0-20220405205423-9d709892a2bf/go.mod h1:8w6bsBMX6yCPbAVTeqQHvzxW0EIFigd5lZyahWgyfDo=
 google.golang.org/genproto v0.0.0-20220407144326-9054f6ed7bac/go.mod h1:8w6bsBMX6yCPbAVTeqQHvzxW0EIFigd5lZyahWgyfDo=
 google.golang.org/genproto v0.0.0-20220413183235-5e96e2839df9/go.mod h1:8w6bsBMX6yCPbAVTeqQHvzxW0EIFigd5lZyahWgyfDo=
 google.golang.org/genproto v0.0.0-20220414192740-2d67ff6cf2b4/go.mod h1:8w6bsBMX6yCPbAVTeqQHvzxW0EIFigd5lZyahWgyfDo=
 google.golang.org/genproto v0.0.0-20220421151946-72621c1f0bd3/go.mod h1:8w6bsBMX6yCPbAVTeqQHvzxW0EIFigd5lZyahWgyfDo=
 google.golang.org/genproto v0.0.0-20220429170224-98d788798c3e/go.mod h1:8w6bsBMX6yCPbAVTeqQHvzxW0EIFigd5lZyahWgyfDo=
+google.golang.org/genproto v0.0.0-20220502173005-c8bf987b8c21/go.mod h1:RAyBrSAP7Fh3Nc84ghnVLDPuV51xc9agzmm4Ph6i0Q4=
 google.golang.org/genproto v0.0.0-20220505152158-f39f71e6c8f3/go.mod h1:RAyBrSAP7Fh3Nc84ghnVLDPuV51xc9agzmm4Ph6i0Q4=
 google.golang.org/genproto v0.0.0-20220518221133-4f43b3371335/go.mod h1:RAyBrSAP7Fh3Nc84ghnVLDPuV51xc9agzmm4Ph6i0Q4=
 google.golang.org/genproto v0.0.0-20220523171625-347a074981d8/go.mod h1:RAyBrSAP7Fh3Nc84ghnVLDPuV51xc9agzmm4Ph6i0Q4=
 google.golang.org/genproto v0.0.0-20220608133413-ed9918b62aac/go.mod h1:KEWEmljWE5zPzLBa/oHl6DaEt9LmfH6WtH1OHIvleBA=
+google.golang.org/genproto v0.0.0-20220616135557-88e70c0c3a90 h1:4SPz2GL2CXJt28MTF8V6Ap/9ZiVbQlJeGSd9qtA7DLs=
 google.golang.org/genproto v0.0.0-20220616135557-88e70c0c3a90/go.mod h1:KEWEmljWE5zPzLBa/oHl6DaEt9LmfH6WtH1OHIvleBA=
 google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c=
 google.golang.org/grpc v1.20.1/go.mod h1:10oTOabMzJvdu6/UiuZezV6QK5dSlG84ov/aaiqXj38=
@@ -1051,6 +1151,8 @@ google.golang.org/grpc v1.45.0/go.mod h1:lN7owxKUQEqMfSyQikvvk5tf/6zMPsrK+ONuO11
 google.golang.org/grpc v1.46.0/go.mod h1:vN9eftEi1UMyUsIF80+uQXhHjbXYbm0uXoFCACuMGWk=
 google.golang.org/grpc v1.46.2/go.mod h1:vN9eftEi1UMyUsIF80+uQXhHjbXYbm0uXoFCACuMGWk=
 google.golang.org/grpc v1.47.0/go.mod h1:vN9eftEi1UMyUsIF80+uQXhHjbXYbm0uXoFCACuMGWk=
+google.golang.org/grpc v1.48.0 h1:rQOsyJ/8+ufEDJd/Gdsz7HG220Mh9HAhFHRGnIjda0w=
+google.golang.org/grpc v1.48.0/go.mod h1:vN9eftEi1UMyUsIF80+uQXhHjbXYbm0uXoFCACuMGWk=
 google.golang.org/grpc/cmd/protoc-gen-go-grpc v1.1.0/go.mod h1:6Kw0yEErY5E/yWrBtf03jp27GLLJujG4z/JK95pnjjw=
 google.golang.org/protobuf v0.0.0-20200109180630-ec00e32a8dfd/go.mod h1:DFci5gLYBciE7Vtevhsrf46CRTquxDuWsQurQQe4oz8=
 google.golang.org/protobuf v0.0.0-20200221191635-4d8936d0db64/go.mod h1:kwYJMbMJ01Woi6D6+Kah6886xMZcty6N08ah7+eCXa0=
@@ -172,3 +172,88 @@ func setDNSConfigCommand() *coral.Command {

 	return command
 }
+
+func enableHttpsCommand() *coral.Command {
+	command := &coral.Command{
+		Use:          "enable-https",
+		Short:        "Enable HTTPS certificates",
+		SilenceUsage: true,
+	}
+
+	var tailnetID uint64
+	var tailnetName string
+	var alias string
+	var target = Target{}
+
+	target.prepareCommand(command)
+	command.Flags().StringVar(&tailnetName, "tailnet", "", "Tailnet name. Mutually exclusive with --tailnet-id.")
+	command.Flags().Uint64Var(&tailnetID, "tailnet-id", 0, "Tailnet ID. Mutually exclusive with --tailnet.")
+	command.Flags().StringVar(&alias, "alias", "", "")
+
+	command.PreRunE = checkRequiredTailnetAndTailnetIdFlags
+	command.RunE = func(command *coral.Command, args []string) error {
+		client, err := target.createGRPCClient()
+		if err != nil {
+			return err
+		}
+
+		tailnet, err := findTailnet(client, tailnetName, tailnetID)
+		if err != nil {
+			return err
+		}
+
+		req := api.EnableHttpsCertificatesRequest{
+			TailnetId: tailnet.Id,
+			Alias:     alias,
+		}
+
+		if _, err := client.EnableHttpsCertificates(context.Background(), connect.NewRequest(&req)); err != nil {
+			return err
+		}
+
+		return nil
+	}
+
+	return command
+}
+
+func disableHttpsCommand() *coral.Command {
+	command := &coral.Command{
+		Use:          "disable-https",
+		Short:        "Disable HTTPS certificates",
+		SilenceUsage: true,
+	}
+
+	var tailnetID uint64
+	var tailnetName string
+	var target = Target{}
+
+	target.prepareCommand(command)
+	command.Flags().StringVar(&tailnetName, "tailnet", "", "Tailnet name. Mutually exclusive with --tailnet-id.")
+	command.Flags().Uint64Var(&tailnetID, "tailnet-id", 0, "Tailnet ID. Mutually exclusive with --tailnet.")
+
+	command.PreRunE = checkRequiredTailnetAndTailnetIdFlags
+	command.RunE = func(command *coral.Command, args []string) error {
+		client, err := target.createGRPCClient()
+		if err != nil {
+			return err
+		}
+
+		tailnet, err := findTailnet(client, tailnetName, tailnetID)
+		if err != nil {
+			return err
+		}
+
+		req := api.DisableHttpsCertificatesRequest{
+			TailnetId: tailnet.Id,
+		}
+
+		if _, err := client.DisableHttpsCertificates(context.Background(), connect.NewRequest(&req)); err != nil {
+			return err
+		}
+
+		return nil
+	}
+
+	return command
+}
@@ -26,6 +26,8 @@ func tailnetCommand() *coral.Command {
 	command.AddCommand(setACLConfigCommand())
 	command.AddCommand(getIAMPolicyCommand())
 	command.AddCommand(setIAMPolicyCommand())
+	command.AddCommand(enableHttpsCommand())
+	command.AddCommand(disableHttpsCommand())

 	return command
 }
@@ -25,6 +25,7 @@ const (
 var (
 	keepAliveInterval = defaultKeepAliveInterval
 	magicDNSSuffix    = defaultMagicDNSSuffix
+	certDNSSuffix     = ""
 )

 func KeepAliveInterval() time.Duration {
@@ -35,6 +36,10 @@ func MagicDNSSuffix() string {
 	return magicDNSSuffix
 }

+func CertDNSSuffix() string {
+	return certDNSSuffix
+}
+
 func LoadConfig(path string) (*Config, error) {
 	cfg := defaultConfig()

@@ -72,6 +77,14 @@ func LoadConfig(path string) (*Config, error) {
 	keepAliveInterval = cfg.PollNet.KeepAliveInterval
 	magicDNSSuffix = cfg.DNS.MagicDNSSuffix

+	if cfg.DNS.Provider.Zone != "" {
+		if cfg.DNS.Provider.Subdomain == "" {
+			certDNSSuffix = cfg.DNS.Provider.Zone
+		} else {
+			certDNSSuffix = fmt.Sprintf("%s.%s", cfg.DNS.Provider.Subdomain, cfg.DNS.Provider.Zone)
+		}
+	}
+
 	return cfg, nil
 }

@@ -111,17 +124,17 @@ type ServerKeys struct {
 }

 type Config struct {
-	HttpListenAddr    string       `yaml:"http_listen_addr,omitempty" env:"HTTP_LISTEN_ADDR"`
-	HttpsListenAddr   string       `yaml:"https_listen_addr,omitempty" env:"HTTPS_LISTEN_ADDR"`
-	MetricsListenAddr string       `yaml:"metrics_listen_addr,omitempty" env:"METRICS_LISTEN_ADDR"`
-	ServerUrl         string       `yaml:"server_url,omitempty" env:"SERVER_URL"`
-	Tls               Tls          `yaml:"tls,omitempty" envPrefix:"TLS_"`
-	PollNet           PollNet      `yaml:"poll_net,omitempty" envPrefix:"POLL_NET_"`
-	Keys              Keys         `yaml:"keys,omitempty" envPrefix:"KEYS_"`
-	Database          Database     `yaml:"database,omitempty" envPrefix:"DB_"`
-	AuthProvider      AuthProvider `yaml:"auth_provider,omitempty"`
-	DNS               DNS          `yaml:"dns,omitempty"`
-	Logging           Logging      `yaml:"logging,omitempty" envPrefix:"LOGGING_"`
+	HttpListenAddr    string   `yaml:"http_listen_addr,omitempty" env:"HTTP_LISTEN_ADDR"`
+	HttpsListenAddr   string   `yaml:"https_listen_addr,omitempty" env:"HTTPS_LISTEN_ADDR"`
+	MetricsListenAddr string   `yaml:"metrics_listen_addr,omitempty" env:"METRICS_LISTEN_ADDR"`
+	ServerUrl         string   `yaml:"server_url,omitempty" env:"SERVER_URL"`
+	Tls               Tls      `yaml:"tls,omitempty" envPrefix:"TLS_"`
+	PollNet           PollNet  `yaml:"poll_net,omitempty" envPrefix:"POLL_NET_"`
+	Keys              Keys     `yaml:"keys,omitempty" envPrefix:"KEYS_"`
+	Database          Database `yaml:"database,omitempty" envPrefix:"DB_"`
+	Auth              Auth     `yaml:"auth,omitempty" envPrefix:"AUTH_"`
+	DNS               DNS      `yaml:"dns,omitempty"`
+	Logging           Logging  `yaml:"logging,omitempty" envPrefix:"LOGGING_"`
 }

 type Tls struct {
@@ -156,22 +169,34 @@ type Keys struct {
 	SystemAdminKey   string `yaml:"system_admin_key,omitempty" env:"SYSTEM_ADMIN_KEY"`
 }

-type AuthProvider struct {
-	Issuer            string            `yaml:"issuer"`
-	ClientID          string            `yaml:"client_id"`
-	ClientSecret      string            `yaml:"client_secret"`
-	Scopes            []string          `yaml:"additional_scopes"`
+type Auth struct {
+	Provider          AuthProvider      `yaml:"provider,omitempty" env:"PROVIDER"`
 	SystemAdminPolicy SystemAdminPolicy `yaml:"system_admins"`
 }

+type AuthProvider struct {
+	Issuer       string   `yaml:"issuer" env:"ISSUER"`
+	ClientID     string   `yaml:"client_id" env:"CLIENT_ID"`
+	ClientSecret string   `yaml:"client_secret" env:"CLIENT_SECRET"`
+	Scopes       []string `yaml:"additional_scopes"  env:"SCOPES"`
+}
+
 type DNS struct {
-	MagicDNSSuffix string `yaml:"magic_dns_suffix"`
+	MagicDNSSuffix string      `yaml:"magic_dns_suffix"`
+	Provider       DNSProvider `yaml:"provider,omitempty"`
+}
+
+type DNSProvider struct {
+	Name          string            `yaml:"name"`
+	Zone          string            `yaml:"zone"`
+	Subdomain     string            `yaml:"subdomain"`
+	Configuration map[string]string `yaml:"config"`
 }

 type SystemAdminPolicy struct {
-	Subs    []string `json:"subs,omitempty"`
-	Emails  []string `json:"emails,omitempty"`
-	Filters []string `json:"filters,omitempty"`
+	Subs    []string `yaml:"subs,omitempty"`
+	Emails  []string `yaml:"emails,omitempty"`
+	Filters []string `yaml:"filters,omitempty"`
 }

 func (c *Config) CreateUrl(format string, a ...interface{}) string {
@@ -8,6 +8,7 @@ import (
 	"github.com/hashicorp/go-hclog"
 	"github.com/jsiebens/ionscale/internal/broker"
 	"github.com/jsiebens/ionscale/internal/database/migration"
+	"github.com/jsiebens/ionscale/internal/util"
 	"tailscale.com/types/key"
 	"time"

@@ -85,6 +86,10 @@ func migrate(db *gorm.DB) error {
 		return err
 	}

+	if err := createJSONWebKeySet(ctx, repository); err != nil {
+		return err
+	}
+
 	return nil
 }

@@ -108,6 +113,29 @@ func createServerKey(ctx context.Context, repository domain.Repository) error {
 	return nil
 }

+func createJSONWebKeySet(ctx context.Context, repository domain.Repository) error {
+	jwks, err := repository.GetJSONWebKeySet(ctx)
+	if err != nil {
+		return err
+	}
+	if jwks != nil {
+		return nil
+	}
+
+	privateKey, id, err := util.NewPrivateKey()
+	if err != nil {
+		return err
+	}
+
+	jsonWebKey := domain.JSONWebKey{Id: id, PrivateKey: *privateKey}
+
+	if err := repository.SetJSONWebKeySet(ctx, &domain.JSONWebKeys{Key: jsonWebKey}); err != nil {
+		return err
+	}
+
+	return nil
+}
+
 type GormLoggerAdapter struct {
 	logger hclog.Logger
 }
@@ -20,7 +20,7 @@ func m202209070900_initial_schema() *gormigrate.Migration {

 			type Tailnet struct {
 				ID        uint64 `gorm:"primary_key;autoIncrement:false"`
-				Name      string `gorm:"type:varchar(64);unique_index"`
+				Name      string `gorm:"type:varchar(64);uniqueIndex"`
 				DNSConfig domain.DNSConfig
 				IAMPolicy domain.IAMPolicy
 				ACLPolicy domain.ACLPolicy
@@ -44,7 +44,7 @@ func m202209070900_initial_schema() *gormigrate.Migration {

 			type SystemApiKey struct {
 				ID   uint64 `gorm:"primary_key;autoIncrement:false"`
-				Key  string `gorm:"type:varchar(64);unique_index"`
+				Key  string `gorm:"type:varchar(64);uniqueIndex"`
 				Hash string

 				CreatedAt time.Time
@@ -56,7 +56,7 @@ func m202209070900_initial_schema() *gormigrate.Migration {

 			type ApiKey struct {
 				ID   uint64 `gorm:"primary_key;autoIncrement:false"`
-				Key  string `gorm:"type:varchar(64);unique_index"`
+				Key  string `gorm:"type:varchar(64);uniqueIndex"`
 				Hash string

 				CreatedAt time.Time
@@ -71,7 +71,7 @@ func m202209070900_initial_schema() *gormigrate.Migration {

 			type AuthKey struct {
 				ID        uint64 `gorm:"primary_key;autoIncrement:false"`
-				Key       string `gorm:"type:varchar(64);unique_index"`
+				Key       string `gorm:"type:varchar(64);uniqueIndex"`
 				Hash      string
 				Ephemeral bool
 				Tags      domain.Tags
@@ -118,7 +118,7 @@ func m202209070900_initial_schema() *gormigrate.Migration {

 			type RegistrationRequest struct {
 				MachineKey    string `gorm:"primary_key;autoIncrement:false"`
-				Key           string `gorm:"type:varchar(64);unique_index"`
+				Key           string `gorm:"type:varchar(64);uniqueIndex"`
 				Data          domain.RegistrationRequestData
 				CreatedAt     time.Time
 				Authenticated bool
@@ -0,0 +1,39 @@
+package migration
+
+import (
+	"github.com/go-gormigrate/gormigrate/v2"
+	"gorm.io/gorm"
+)
+
+func m202229251530_add_alias_column() *gormigrate.Migration {
+	return &gormigrate.Migration{
+		ID: "202229251530a",
+		Migrate: func(db *gorm.DB) error {
+			type Tailnet struct {
+				Alias *string `gorm:"type:varchar(64)"`
+			}
+
+			return db.AutoMigrate(
+				&Tailnet{},
+			)
+		},
+		Rollback: nil,
+	}
+}
+
+func m202229251530_add_alias_column_constraint() *gormigrate.Migration {
+	return &gormigrate.Migration{
+		ID: "202229251530b",
+		Migrate: func(db *gorm.DB) error {
+			type Tailnet struct {
+				Name  string  `gorm:"uniqueIndex"`
+				Alias *string `gorm:"uniqueIndex"`
+			}
+
+			return db.AutoMigrate(
+				&Tailnet{},
+			)
+		},
+		Rollback: nil,
+	}
+}
@@ -8,6 +8,8 @@ func Migrations() []*gormigrate.Migration {
 	var migrations = []*gormigrate.Migration{
 		m202209070900_initial_schema(),
 		m202209251530_add_autoallowips_column(),
+		m202229251530_add_alias_column(),
+		m202229251530_add_alias_column_constraint(),
 	}
 	return migrations
 }
@@ -0,0 +1,66 @@
+package dns
+
+import (
+	"context"
+	"fmt"
+	"github.com/jsiebens/ionscale/internal/config"
+	"github.com/jsiebens/ionscale/internal/mapping"
+	"github.com/libdns/azure"
+	"github.com/libdns/cloudflare"
+	"github.com/libdns/digitalocean"
+	"github.com/libdns/googleclouddns"
+	"github.com/libdns/libdns"
+	"github.com/libdns/route53"
+	"strings"
+	"time"
+)
+
+type Provider interface {
+	SetRecord(ctx context.Context, recordType, recordName, value string) error
+}
+
+func NewProvider(config config.DNSProvider) (Provider, error) {
+	if len(config.Zone) == 0 {
+		return nil, nil
+	}
+
+	switch config.Name {
+	case "azure":
+		return configureProvider(config.Zone, config.Configuration, &azure.Provider{})
+	case "cloudflare":
+		return configureProvider(config.Zone, config.Configuration, &cloudflare.Provider{})
+	case "digitalocean":
+		return configureProvider(config.Zone, config.Configuration, &digitalocean.Provider{})
+	case "googleclouddns":
+		return configureProvider(config.Zone, config.Configuration, &googleclouddns.Provider{})
+	case "route53":
+		return configureProvider(config.Zone, config.Configuration, &route53.Provider{})
+	default:
+		return nil, fmt.Errorf("unknown dns provider: %s", config.Name)
+	}
+}
+
+func configureProvider(zone string, v map[string]string, setter libdns.RecordSetter) (Provider, error) {
+	if err := mapping.CopyViaJson(v, setter); err != nil {
+		return nil, err
+	}
+	return &externalProvider{
+		zone:   zone,
+		setter: setter,
+	}, nil
+}
+
+type externalProvider struct {
+	zone   string
+	setter libdns.RecordSetter
+}
+
+func (p *externalProvider) SetRecord(ctx context.Context, recordType, recordName, value string) error {
+	_, err := p.setter.SetRecords(ctx, fmt.Sprintf("%s.", p.zone), []libdns.Record{{
+		Type:  recordType,
+		Name:  strings.TrimSuffix(recordName, p.zone),
+		Value: value,
+		TTL:   1 * time.Minute,
+	}})
+	return err
+}
@@ -9,10 +9,11 @@ import (
 )

 type DNSConfig struct {
-	MagicDNS         bool                `json:"magic_dns"`
-	OverrideLocalDNS bool                `json:"override_local_dns"`
-	Nameservers      []string            `json:"nameservers"`
-	Routes           map[string][]string `json:"routes"`
+	HttpsCertsEnabled bool                `json:"http_certs"`
+	MagicDNS          bool                `json:"magic_dns"`
+	OverrideLocalDNS  bool                `json:"override_local_dns"`
+	Nameservers       []string            `json:"nameservers"`
+	Routes            map[string][]string `json:"routes"`
 }

 func (i *DNSConfig) Scan(destination interface{}) error {
@@ -46,6 +46,13 @@ type Machine struct {

 type Machines []Machine

+func (m *Machine) CompleteName() string {
+	if m.NameIdx != 0 {
+		return fmt.Sprintf("%s-%d", m.Name, m.NameIdx)
+	}
+	return m.Name
+}
+
 func (m *Machine) IPs() []string {
 	return []string{m.IPv4.String(), m.IPv6.String()}
 }
@@ -14,6 +14,9 @@ type Repository interface {
 	GetControlKeys(ctx context.Context) (*ControlKeys, error)
 	SetControlKeys(ctx context.Context, keys *ControlKeys) error

+	GetJSONWebKeySet(ctx context.Context) (*JSONWebKeys, error)
+	SetJSONWebKeySet(ctx context.Context, keys *JSONWebKeys) error
+
 	GetDERPMap(ctx context.Context) (*tailcfg.DERPMap, error)
 	SetDERPMap(ctx context.Context, v *tailcfg.DERPMap) error

@@ -23,6 +26,7 @@ type Repository interface {
 	SaveTailnet(ctx context.Context, tailnet *Tailnet) error
 	GetOrCreateTailnet(ctx context.Context, name string, iamPolicy IAMPolicy) (*Tailnet, bool, error)
 	GetTailnet(ctx context.Context, id uint64) (*Tailnet, error)
+	GetTailnetByAlias(ctx context.Context, alias string) (*Tailnet, error)
 	ListTailnets(ctx context.Context) ([]Tailnet, error)
 	DeleteTailnet(ctx context.Context, id uint64) error

@@ -2,11 +2,14 @@ package domain

 import (
 	"context"
+	"crypto"
+	"crypto/rsa"
 	"encoding/json"
 	"errors"
 	"gorm.io/gorm"
 	"tailscale.com/tailcfg"
 	tkey "tailscale.com/types/key"
+	"time"
 )

 type configKey string
@@ -14,8 +17,23 @@ type configKey string
 const (
 	derpMapConfigKey     configKey = "derp_map"
 	controlKeysConfigKey configKey = "control_keys"
+	jwksConfigKey        configKey = "jwks"
 )

+type JSONWebKeys struct {
+	Key JSONWebKey
+}
+
+type JSONWebKey struct {
+	Id         string
+	PrivateKey rsa.PrivateKey
+	CreatedAt  time.Time
+}
+
+func (j JSONWebKey) Public() crypto.PublicKey {
+	return j.PrivateKey.Public()
+}
+
 type ServerConfig struct {
 	Key   configKey `gorm:"primary_key"`
 	Value []byte
@@ -45,6 +63,25 @@ func (r *repository) SetControlKeys(ctx context.Context, v *ControlKeys) error {
 	return r.setServerConfig(ctx, controlKeysConfigKey, v)
 }

+func (r *repository) GetJSONWebKeySet(ctx context.Context) (*JSONWebKeys, error) {
+	var m JSONWebKeys
+	err := r.getServerConfig(ctx, jwksConfigKey, &m)
+
+	if errors.Is(err, gorm.ErrRecordNotFound) {
+		return nil, nil
+	}
+
+	if err != nil {
+		return nil, err
+	}
+
+	return &m, nil
+}
+
+func (r *repository) SetJSONWebKeySet(ctx context.Context, v *JSONWebKeys) error {
+	return r.setServerConfig(ctx, jwksConfigKey, v)
+}
+
 func (r *repository) GetDERPMap(ctx context.Context) (*tailcfg.DERPMap, error) {
 	var m tailcfg.DERPMap

@@ -13,6 +13,7 @@ import (
 type Tailnet struct {
 	ID        uint64 `gorm:"primary_key"`
 	Name      string
+	Alias     *string
 	DNSConfig DNSConfig
 	IAMPolicy IAMPolicy
 	ACLPolicy ACLPolicy
@@ -76,6 +77,21 @@ func (r *repository) GetTailnet(ctx context.Context, id uint64) (*Tailnet, error
 	return &t, nil
 }

+func (r *repository) GetTailnetByAlias(ctx context.Context, alias string) (*Tailnet, error) {
+	var t Tailnet
+	tx := r.withContext(ctx).Take(&t, "alias = ?", alias)
+
+	if errors.Is(tx.Error, gorm.ErrRecordNotFound) {
+		return nil, nil
+	}
+
+	if tx.Error != nil {
+		return nil, tx.Error
+	}
+
+	return &t, nil
+}
+
 func (r *repository) ListTailnets(ctx context.Context) ([]Tailnet, error) {
 	var tailnets = []Tailnet{}
 	tx := r.withContext(ctx).Find(&tailnets)
@@ -0,0 +1,73 @@
+package handlers
+
+import (
+	"github.com/jsiebens/ionscale/internal/bind"
+	"github.com/jsiebens/ionscale/internal/dns"
+	"github.com/labstack/echo/v4"
+	"net"
+	"net/http"
+	"strings"
+	"tailscale.com/tailcfg"
+	"time"
+)
+
+func NewDNSHandlers(createBinder bind.Factory, provider dns.Provider) *DNSHandlers {
+	return &DNSHandlers{
+		createBinder: createBinder,
+		provider:     provider,
+	}
+}
+
+type DNSHandlers struct {
+	createBinder bind.Factory
+	provider     dns.Provider
+}
+
+func (h *DNSHandlers) SetDNS(c echo.Context) error {
+	ctx := c.Request().Context()
+
+	binder, err := h.createBinder(c)
+	if err != nil {
+		return err
+	}
+
+	req := &tailcfg.SetDNSRequest{}
+	if err := binder.BindRequest(c, req); err != nil {
+		return err
+	}
+
+	if h.provider == nil {
+		return echo.NewHTTPError(http.StatusNotFound)
+	}
+
+	if err := h.provider.SetRecord(ctx, req.Type, req.Name, req.Value); err != nil {
+		return err
+	}
+
+	if strings.HasPrefix(req.Name, "_acme-challenge") && req.Type == "TXT" {
+		// Listen to connection close
+		notify := ctx.Done()
+		timeout := time.After(5 * time.Minute)
+		tick := time.NewTicker(5 * time.Second)
+
+		defer func() { tick.Stop() }()
+
+		for {
+			select {
+			case <-tick.C:
+				txtrecords, _ := net.LookupTXT(req.Name)
+				for _, txt := range txtrecords {
+					if txt == req.Value {
+						return binder.WriteResponse(c, http.StatusOK, tailcfg.SetDNSResponse{})
+					}
+				}
+			case <-timeout:
+				return binder.WriteResponse(c, http.StatusOK, tailcfg.SetDNSResponse{})
+			case <-notify:
+				return nil
+			}
+		}
+	}
+
+	return binder.WriteResponse(c, http.StatusOK, tailcfg.SetDNSResponse{})
+}
@@ -0,0 +1,148 @@
+package handlers
+
+import (
+	"fmt"
+	"github.com/golang-jwt/jwt/v4"
+	"github.com/jsiebens/ionscale/internal/bind"
+	"github.com/jsiebens/ionscale/internal/config"
+	"github.com/jsiebens/ionscale/internal/domain"
+	"github.com/jsiebens/ionscale/internal/util"
+	"github.com/labstack/echo/v4"
+	"gopkg.in/square/go-jose.v2"
+	"net/http"
+	"tailscale.com/tailcfg"
+	"time"
+)
+
+func NewIDTokenHandlers(createBinder bind.Factory, config *config.Config, repository domain.Repository) *IDTokenHandlers {
+	return &IDTokenHandlers{
+		issuer:       config.ServerUrl,
+		jwksUri:      config.CreateUrl("/.well-known/jwks"),
+		createBinder: createBinder,
+		repository:   repository,
+	}
+}
+
+type IDTokenHandlers struct {
+	issuer       string
+	jwksUri      string
+	createBinder bind.Factory
+	repository   domain.Repository
+}
+
+func (h *IDTokenHandlers) OpenIDConfig(c echo.Context) error {
+	v := map[string]interface{}{}
+
+	v["issuer"] = h.issuer
+	v["jwks_uri"] = h.jwksUri
+	v["subject_types_supported"] = []string{"public"}
+	v["response_types_supported"] = []string{"id_token"}
+	v["scopes_supported"] = []string{"openid"}
+	v["id_token_signing_alg_values_supported"] = []string{"RS256"}
+	v["claims_supported"] = []string{
+		"sub",
+		"aud",
+		"exp",
+		"iat",
+		"iss",
+		"jti",
+		"nbf",
+	}
+
+	return c.JSON(http.StatusOK, v)
+}
+
+func (h *IDTokenHandlers) Jwks(c echo.Context) error {
+	keySet, err := h.repository.GetJSONWebKeySet(c.Request().Context())
+	if err != nil {
+		return err
+	}
+
+	pub := jose.JSONWebKey{Key: keySet.Key.Public(), KeyID: keySet.Key.Id, Algorithm: "RS256", Use: "sig"}
+	set := jose.JSONWebKeySet{Keys: []jose.JSONWebKey{pub}}
+	return c.JSON(http.StatusOK, set)
+}
+
+func (h *IDTokenHandlers) FetchToken(c echo.Context) error {
+	ctx := c.Request().Context()
+
+	keySet, err := h.repository.GetJSONWebKeySet(c.Request().Context())
+	if err != nil {
+		return err
+	}
+
+	binder, err := h.createBinder(c)
+	if err != nil {
+		return err
+	}
+
+	req := &tailcfg.TokenRequest{}
+	if err := binder.BindRequest(c, req); err != nil {
+		return err
+	}
+
+	machineKey := binder.Peer().String()
+	nodeKey := req.NodeKey.String()
+
+	var m *domain.Machine
+	m, err = h.repository.GetMachineByKeys(ctx, machineKey, nodeKey)
+	if err != nil {
+		return err
+	}
+
+	if m == nil {
+		return echo.NewHTTPError(http.StatusBadRequest)
+	}
+
+	_, tailnetDomain, sub := h.names(m)
+
+	now := time.Now()
+
+	claims := jwt.MapClaims{
+		"jit": fmt.Sprintf("%d", util.NextID()),
+		"iss": h.issuer,
+		"sub": sub,
+		"aud": []string{req.Audience},
+		"exp": jwt.NewNumericDate(now.Add(5 * time.Minute)),
+		"nbf": jwt.NewNumericDate(now),
+		"iat": jwt.NewNumericDate(now),
+
+		"key":       m.NodeKey,
+		"addresses": []string{m.IPv4.String(), m.IPv6.String()},
+		"nid":       m.ID,
+		"node":      sub,
+		"domain":    tailnetDomain,
+	}
+
+	if m.HasTags() {
+		tags := []string{}
+		for _, t := range m.Tags {
+			tags = append(tags, fmt.Sprintf("%s:%s", tailnetDomain, t))
+		}
+		claims["tags"] = tags
+	} else {
+		claims["user"] = fmt.Sprintf("%s:%s", tailnetDomain, m.User.Name)
+		claims["uid"] = m.UserID
+	}
+
+	unsignedToken := jwt.NewWithClaims(jwt.SigningMethodRS256, claims)
+	unsignedToken.Header["kid"] = keySet.Key.Id
+
+	jwtB64, err := unsignedToken.SignedString(&keySet.Key.PrivateKey)
+	if err != nil {
+		return err
+	}
+
+	resp := tailcfg.TokenResponse{IDToken: jwtB64}
+	return binder.WriteResponse(c, http.StatusOK, resp)
+}
+
+func (h *IDTokenHandlers) names(m *domain.Machine) (string, string, string) {
+	var name = m.Name
+	if m.NameIdx != 0 {
+		name = fmt.Sprintf("%s-%d", m.Name, m.NameIdx)
+	}
+
+	sanitizedTailnetName := domain.SanitizeTailnetName(m.Tailnet.Name)
+	return name, sanitizedTailnetName, fmt.Sprintf("%s.%s", name, sanitizedTailnetName)
+}
@@ -233,6 +233,7 @@ func (h *PollNetMapHandler) createMapResponse(m *domain.Machine, binder bind.Bin
 	var users = []tailcfg.UserProfile{*user}
 	var changedPeers []*tailcfg.Node
 	var removedPeers []tailcfg.NodeID
+	var validPeers []domain.Machine

 	candidatePeers, err := h.repository.ListMachinePeers(ctx, m.TailnetID, m.MachineKey)
 	if err != nil {
@@ -247,6 +248,7 @@ func (h *PollNetMapHandler) createMapResponse(m *domain.Machine, binder bind.Bin
 			continue
 		}
 		if policies.IsValidPeer(m, &peer) || policies.IsValidPeer(&peer, m) {
+			validPeers = append(validPeers, peer)
 			n, u, err := mapping.ToNode(&peer)
 			if err != nil {
 				return nil, nil, err
@@ -282,7 +284,7 @@ func (h *PollNetMapHandler) createMapResponse(m *domain.Machine, binder bind.Bin
 		mapResponse = &tailcfg.MapResponse{
 			KeepAlive:    false,
 			Node:         node,
-			DNSConfig:    mapping.ToDNSConfig(&m.Tailnet, &dnsConfig),
+			DNSConfig:    mapping.ToDNSConfig(m, validPeers, &m.Tailnet, &dnsConfig),
 			PacketFilter: rules,
 			DERPMap:      derpMap,
 			Domain:       domain.SanitizeTailnetName(m.Tailnet.Name),
@@ -296,7 +298,7 @@ func (h *PollNetMapHandler) createMapResponse(m *domain.Machine, binder bind.Bin
 	} else {
 		mapResponse = &tailcfg.MapResponse{
 			Node:         node,
-			DNSConfig:    mapping.ToDNSConfig(&m.Tailnet, &dnsConfig),
+			DNSConfig:    mapping.ToDNSConfig(m, validPeers, &m.Tailnet, &dnsConfig),
 			PacketFilter: rules,
 			DERPMap:      derpMap,
 			Domain:       domain.SanitizeTailnetName(m.Tailnet.Name),
@@ -27,8 +27,17 @@ func CopyViaJson[F any, T any](f F, t T) error {
 	return nil
 }

-func ToDNSConfig(tailnet *domain.Tailnet, c *domain.DNSConfig) *tailcfg.DNSConfig {
+func ToDNSConfig(m *domain.Machine, peers []domain.Machine, tailnet *domain.Tailnet, c *domain.DNSConfig) *tailcfg.DNSConfig {
+	certDNSSuffix := config.CertDNSSuffix()
+	certsEnabled := c.HttpsCertsEnabled && len(certDNSSuffix) != 0
+
 	tailnetDomain := domain.SanitizeTailnetName(tailnet.Name)
+
+	var certDomain = ""
+	if certsEnabled {
+		certDomain = domain.SanitizeTailnetName(*tailnet.Alias)
+	}
+
 	resolvers := []*dnstype.Resolver{}
 	for _, r := range c.Nameservers {
 		resolver := &dnstype.Resolver{
@@ -40,10 +49,16 @@ func ToDNSConfig(tailnet *domain.Tailnet, c *domain.DNSConfig) *tailcfg.DNSConfi
 	dnsConfig := &tailcfg.DNSConfig{}

 	var domains []string
+	var certDomains []string

 	if c.MagicDNS {
 		domains = append(domains, fmt.Sprintf("%s.%s", tailnetDomain, config.MagicDNSSuffix()))
 		dnsConfig.Proxied = true
+
+		if certsEnabled {
+			domains = append(domains, fmt.Sprintf("%s.%s", certDomain, certDNSSuffix))
+			certDomains = append(certDomains, fmt.Sprintf("%s.%s.%s", m.CompleteName(), certDomain, certDNSSuffix))
+		}
 	}

 	if c.OverrideLocalDNS {
@@ -52,8 +67,13 @@ func ToDNSConfig(tailnet *domain.Tailnet, c *domain.DNSConfig) *tailcfg.DNSConfi
 		dnsConfig.FallbackResolvers = resolvers
 	}

-	if len(c.Routes) != 0 {
+	if len(c.Routes) != 0 || certsEnabled {
 		routes := make(map[string][]*dnstype.Resolver)
+
+		if certsEnabled {
+			routes[fmt.Sprintf("%s.", certDNSSuffix)] = nil
+		}
+
 		for r, s := range c.Routes {
 			routeResolver := []*dnstype.Resolver{}
 			for _, addr := range s {
@@ -67,6 +87,23 @@ func ToDNSConfig(tailnet *domain.Tailnet, c *domain.DNSConfig) *tailcfg.DNSConfi
 	}

 	dnsConfig.Domains = domains
+	dnsConfig.CertDomains = certDomains
+
+	if certsEnabled {
+		var extraRecords = []tailcfg.DNSRecord{{
+			Name:  fmt.Sprintf("%s.%s.%s", m.CompleteName(), certDomain, certDNSSuffix),
+			Value: m.IPv4.String(),
+		}}
+
+		for _, p := range peers {
+			extraRecords = append(extraRecords, tailcfg.DNSRecord{
+				Name:  fmt.Sprintf("%s.%s.%s", p.CompleteName(), certDomain, certDNSSuffix),
+				Value: p.IPv4.String(),
+			})
+		}
+
+		dnsConfig.ExtraRecords = extraRecords
+	}

 	return dnsConfig
 }
@@ -125,10 +162,7 @@ func ToNode(m *domain.Machine) (*tailcfg.Node, *tailcfg.UserProfile, error) {
 		derp = "127.3.3.40:0"
 	}

-	var name = m.Name
-	if m.NameIdx != 0 {
-		name = fmt.Sprintf("%s-%d", m.Name, m.NameIdx)
-	}
+	var name = m.CompleteName()

 	sanitizedTailnetName := domain.SanitizeTailnetName(m.Tailnet.Name)

@@ -9,6 +9,7 @@ import (
 	"github.com/jsiebens/ionscale/internal/bind"
 	"github.com/jsiebens/ionscale/internal/config"
 	"github.com/jsiebens/ionscale/internal/database"
+	"github.com/jsiebens/ionscale/internal/dns"
 	"github.com/jsiebens/ionscale/internal/domain"
 	"github.com/jsiebens/ionscale/internal/handlers"
 	"github.com/jsiebens/ionscale/internal/provider"
@@ -81,27 +82,38 @@ func Start(c *config.Config) error {
 		c.HttpsListenAddr = fmt.Sprintf(":%d", certmagic.HTTPSPort)
 	}

+	authProvider, systemIAMPolicy, err := setupAuthProvider(c.Auth)
+	if err != nil {
+		return fmt.Errorf("error configuring OIDC provider: %v", err)
+	}
+
+	dnsProvider, err := dns.NewProvider(c.DNS.Provider)
+	if err != nil {
+		return err
+	}
+
 	createPeerHandler := func(p key.MachinePublic) http.Handler {
 		registrationHandlers := handlers.NewRegistrationHandlers(bind.DefaultBinder(p), c, brokers, repository)
 		pollNetMapHandler := handlers.NewPollNetMapHandler(bind.DefaultBinder(p), brokers, repository, offlineTimers)
+		dnsHandlers := handlers.NewDNSHandlers(bind.DefaultBinder(p), dnsProvider)
+		idTokenHandlers := handlers.NewIDTokenHandlers(bind.DefaultBinder(p), c, repository)

 		e := echo.New()
 		e.Use(EchoLogger(logger))
 		e.Use(EchoRecover(logger))
 		e.POST("/machine/register", registrationHandlers.Register)
 		e.POST("/machine/map", pollNetMapHandler.PollNetMap)
+		e.POST("/machine/set-dns", dnsHandlers.SetDNS)
+		e.POST("/machine/id-token", idTokenHandlers.FetchToken)

 		return e
 	}

-	authProvider, systemIAMPolicy, err := setupAuthProvider(c.AuthProvider)
-	if err != nil {
-		return fmt.Errorf("error configuring OIDC provider: %v", err)
-	}
-
 	noiseHandlers := handlers.NewNoiseHandlers(serverKey.ControlKey, createPeerHandler)
 	registrationHandlers := handlers.NewRegistrationHandlers(bind.BoxBinder(serverKey.LegacyControlKey), c, brokers, repository)
 	pollNetMapHandler := handlers.NewPollNetMapHandler(bind.BoxBinder(serverKey.LegacyControlKey), brokers, repository, offlineTimers)
+	dnsHandlers := handlers.NewDNSHandlers(bind.BoxBinder(serverKey.LegacyControlKey), dnsProvider)
+	idTokenHandlers := handlers.NewIDTokenHandlers(bind.BoxBinder(serverKey.LegacyControlKey), c, repository)
 	authenticationHandlers := handlers.NewAuthenticationHandlers(
 		c,
 		authProvider,
@@ -139,6 +151,9 @@ func Start(c *config.Config) error {
 	tlsAppHandler.POST("/ts2021", noiseHandlers.Upgrade)
 	tlsAppHandler.POST("/machine/:id", registrationHandlers.Register)
 	tlsAppHandler.POST("/machine/:id/map", pollNetMapHandler.PollNetMap)
+	tlsAppHandler.POST("/machine/:id/set-dns", dnsHandlers.SetDNS)
+	tlsAppHandler.GET("/.well-known/jwks", idTokenHandlers.Jwks)
+	tlsAppHandler.GET("/.well-known/openid-configuration", idTokenHandlers.OpenIDConfig)

 	auth := tlsAppHandler.Group("/a")
 	auth.Use(middleware.CSRFWithConfig(middleware.CSRFConfig{
@@ -192,12 +207,12 @@ func Start(c *config.Config) error {
 	return g.Wait()
 }

-func setupAuthProvider(config config.AuthProvider) (provider.AuthProvider, *domain.IAMPolicy, error) {
-	if len(config.Issuer) == 0 {
+func setupAuthProvider(config config.Auth) (provider.AuthProvider, *domain.IAMPolicy, error) {
+	if len(config.Provider.Issuer) == 0 {
 		return nil, &domain.IAMPolicy{}, nil
 	}

-	authProvider, err := provider.NewOIDCProvider(&config)
+	authProvider, err := provider.NewOIDCProvider(&config.Provider)
 	if err != nil {
 		return nil, nil, err
 	}
@@ -9,6 +9,7 @@ import (
 	"github.com/jsiebens/ionscale/internal/config"
 	"github.com/jsiebens/ionscale/internal/domain"
 	api "github.com/jsiebens/ionscale/pkg/gen/ionscale/v1"
+	"tailscale.com/util/dnsname"
 )

 func (s *Service) GetDNSConfig(ctx context.Context, req *connect.Request[api.GetDNSConfigRequest]) (*connect.Response[api.GetDNSConfigResponse], error) {
@@ -79,6 +80,82 @@ func (s *Service) SetDNSConfig(ctx context.Context, req *connect.Request[api.Set
 	return connect.NewResponse(resp), nil
 }

+func (s *Service) EnableHttpsCertificates(ctx context.Context, req *connect.Request[api.EnableHttpsCertificatesRequest]) (*connect.Response[api.EnableHttpsCertificatesResponse], error) {
+	principal := CurrentPrincipal(ctx)
+	if !principal.IsSystemAdmin() && !principal.IsTailnetAdmin(req.Msg.TailnetId) {
+		return nil, connect.NewError(connect.CodePermissionDenied, errors.New("permission denied"))
+	}
+
+	alias := dnsname.SanitizeLabel(req.Msg.Alias)
+
+	tailnet, err := s.repository.GetTailnet(ctx, req.Msg.TailnetId)
+	if err != nil {
+		return nil, err
+	}
+	if tailnet == nil {
+		return nil, connect.NewError(connect.CodeNotFound, errors.New("tailnet not found"))
+	}
+
+	if !tailnet.DNSConfig.MagicDNS {
+		return nil, connect.NewError(connect.CodeFailedPrecondition, errors.New("MagicDNS must be enabled for this tailnet"))
+	}
+
+	if tailnet.Alias == nil && len(alias) == 0 {
+		return nil, connect.NewError(connect.CodeFailedPrecondition, errors.New("when enabling HTTPS certificates for the first time, a Tailnet alias is required"))
+	}
+
+	if tailnet.Alias != nil && len(alias) != 0 && *tailnet.Alias != alias {
+		return nil, connect.NewError(connect.CodeInvalidArgument, errors.New("a Tailnet alias was already configured previously"))
+	}
+
+	tailnet.DNSConfig.HttpsCertsEnabled = true
+	if tailnet.Alias == nil && len(alias) != 0 {
+		t, err := s.repository.GetTailnetByAlias(ctx, alias)
+		if err != nil {
+			return nil, err
+		}
+
+		if t != nil && t.ID != tailnet.ID {
+			return nil, connect.NewError(connect.CodeInvalidArgument, errors.New("given alias is already in use"))
+		}
+
+		tailnet.Alias = &alias
+	}
+
+	if err := s.repository.SaveTailnet(ctx, tailnet); err != nil {
+		return nil, err
+	}
+
+	s.pubsub.Publish(tailnet.ID, &broker.Signal{DNSUpdated: true})
+
+	return connect.NewResponse(&api.EnableHttpsCertificatesResponse{}), nil
+}
+
+func (s *Service) DisableHttpsCertificates(ctx context.Context, req *connect.Request[api.DisableHttpsCertificatesRequest]) (*connect.Response[api.DisableHttpsCertificatesResponse], error) {
+	principal := CurrentPrincipal(ctx)
+	if !principal.IsSystemAdmin() && !principal.IsTailnetAdmin(req.Msg.TailnetId) {
+		return nil, connect.NewError(connect.CodePermissionDenied, errors.New("permission denied"))
+	}
+
+	tailnet, err := s.repository.GetTailnet(ctx, req.Msg.TailnetId)
+	if err != nil {
+		return nil, err
+	}
+	if tailnet == nil {
+		return nil, connect.NewError(connect.CodeNotFound, errors.New("tailnet not found"))
+	}
+
+	tailnet.DNSConfig.HttpsCertsEnabled = false
+
+	if err := s.repository.SaveTailnet(ctx, tailnet); err != nil {
+		return nil, err
+	}
+
+	s.pubsub.Publish(tailnet.ID, &broker.Signal{DNSUpdated: true})
+
+	return connect.NewResponse(&api.DisableHttpsCertificatesResponse{}), nil
+}
+
 func domainRoutesToApiRoutes(routes map[string][]string) map[string]*api.Routes {
 	var result = map[string]*api.Routes{}
 	for k, v := range routes {
@@ -1,6 +1,7 @@
 package util

 import (
+	"crypto/rsa"
 	"math/rand"
 	"time"
 )
@@ -34,3 +35,14 @@ func RandomBytes(size int) ([]byte, error) {
 	}
 	return buf, nil
 }
+
+func NewPrivateKey() (*rsa.PrivateKey, string, error) {
+	id := RandStringBytes(22)
+
+	privateKey, err := rsa.GenerateKey(entropy, 2048)
+	if err != nil {
+		return nil, "", err
+	}
+
+	return privateKey, id, nil
+}
@@ -218,6 +218,184 @@ func (x *SetDNSConfigResponse) GetConfig() *DNSConfig {
 	return nil
 }

+type EnableHttpsCertificatesRequest struct {
+	state         protoimpl.MessageState
+	sizeCache     protoimpl.SizeCache
+	unknownFields protoimpl.UnknownFields
+
+	TailnetId uint64 `protobuf:"varint,1,opt,name=tailnet_id,json=tailnetId,proto3" json:"tailnet_id,omitempty"`
+	Alias     string `protobuf:"bytes,2,opt,name=alias,proto3" json:"alias,omitempty"`
+}
+
+func (x *EnableHttpsCertificatesRequest) Reset() {
+	*x = EnableHttpsCertificatesRequest{}
+	if protoimpl.UnsafeEnabled {
+		mi := &file_ionscale_v1_dns_proto_msgTypes[4]
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		ms.StoreMessageInfo(mi)
+	}
+}
+
+func (x *EnableHttpsCertificatesRequest) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*EnableHttpsCertificatesRequest) ProtoMessage() {}
+
+func (x *EnableHttpsCertificatesRequest) ProtoReflect() protoreflect.Message {
+	mi := &file_ionscale_v1_dns_proto_msgTypes[4]
+	if protoimpl.UnsafeEnabled && x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use EnableHttpsCertificatesRequest.ProtoReflect.Descriptor instead.
+func (*EnableHttpsCertificatesRequest) Descriptor() ([]byte, []int) {
+	return file_ionscale_v1_dns_proto_rawDescGZIP(), []int{4}
+}
+
+func (x *EnableHttpsCertificatesRequest) GetTailnetId() uint64 {
+	if x != nil {
+		return x.TailnetId
+	}
+	return 0
+}
+
+func (x *EnableHttpsCertificatesRequest) GetAlias() string {
+	if x != nil {
+		return x.Alias
+	}
+	return ""
+}
+
+type EnableHttpsCertificatesResponse struct {
+	state         protoimpl.MessageState
+	sizeCache     protoimpl.SizeCache
+	unknownFields protoimpl.UnknownFields
+}
+
+func (x *EnableHttpsCertificatesResponse) Reset() {
+	*x = EnableHttpsCertificatesResponse{}
+	if protoimpl.UnsafeEnabled {
+		mi := &file_ionscale_v1_dns_proto_msgTypes[5]
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		ms.StoreMessageInfo(mi)
+	}
+}
+
+func (x *EnableHttpsCertificatesResponse) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*EnableHttpsCertificatesResponse) ProtoMessage() {}
+
+func (x *EnableHttpsCertificatesResponse) ProtoReflect() protoreflect.Message {
+	mi := &file_ionscale_v1_dns_proto_msgTypes[5]
+	if protoimpl.UnsafeEnabled && x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use EnableHttpsCertificatesResponse.ProtoReflect.Descriptor instead.
+func (*EnableHttpsCertificatesResponse) Descriptor() ([]byte, []int) {
+	return file_ionscale_v1_dns_proto_rawDescGZIP(), []int{5}
+}
+
+type DisableHttpsCertificatesRequest struct {
+	state         protoimpl.MessageState
+	sizeCache     protoimpl.SizeCache
+	unknownFields protoimpl.UnknownFields
+
+	TailnetId uint64 `protobuf:"varint,1,opt,name=tailnet_id,json=tailnetId,proto3" json:"tailnet_id,omitempty"`
+}
+
+func (x *DisableHttpsCertificatesRequest) Reset() {
+	*x = DisableHttpsCertificatesRequest{}
+	if protoimpl.UnsafeEnabled {
+		mi := &file_ionscale_v1_dns_proto_msgTypes[6]
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		ms.StoreMessageInfo(mi)
+	}
+}
+
+func (x *DisableHttpsCertificatesRequest) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*DisableHttpsCertificatesRequest) ProtoMessage() {}
+
+func (x *DisableHttpsCertificatesRequest) ProtoReflect() protoreflect.Message {
+	mi := &file_ionscale_v1_dns_proto_msgTypes[6]
+	if protoimpl.UnsafeEnabled && x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use DisableHttpsCertificatesRequest.ProtoReflect.Descriptor instead.
+func (*DisableHttpsCertificatesRequest) Descriptor() ([]byte, []int) {
+	return file_ionscale_v1_dns_proto_rawDescGZIP(), []int{6}
+}
+
+func (x *DisableHttpsCertificatesRequest) GetTailnetId() uint64 {
+	if x != nil {
+		return x.TailnetId
+	}
+	return 0
+}
+
+type DisableHttpsCertificatesResponse struct {
+	state         protoimpl.MessageState
+	sizeCache     protoimpl.SizeCache
+	unknownFields protoimpl.UnknownFields
+}
+
+func (x *DisableHttpsCertificatesResponse) Reset() {
+	*x = DisableHttpsCertificatesResponse{}
+	if protoimpl.UnsafeEnabled {
+		mi := &file_ionscale_v1_dns_proto_msgTypes[7]
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		ms.StoreMessageInfo(mi)
+	}
+}
+
+func (x *DisableHttpsCertificatesResponse) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*DisableHttpsCertificatesResponse) ProtoMessage() {}
+
+func (x *DisableHttpsCertificatesResponse) ProtoReflect() protoreflect.Message {
+	mi := &file_ionscale_v1_dns_proto_msgTypes[7]
+	if protoimpl.UnsafeEnabled && x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use DisableHttpsCertificatesResponse.ProtoReflect.Descriptor instead.
+func (*DisableHttpsCertificatesResponse) Descriptor() ([]byte, []int) {
+	return file_ionscale_v1_dns_proto_rawDescGZIP(), []int{7}
+}
+
 type DNSConfig struct {
 	state         protoimpl.MessageState
 	sizeCache     protoimpl.SizeCache
@@ -233,7 +411,7 @@ type DNSConfig struct {
 func (x *DNSConfig) Reset() {
 	*x = DNSConfig{}
 	if protoimpl.UnsafeEnabled {
-		mi := &file_ionscale_v1_dns_proto_msgTypes[4]
+		mi := &file_ionscale_v1_dns_proto_msgTypes[8]
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		ms.StoreMessageInfo(mi)
 	}
@@ -246,7 +424,7 @@ func (x *DNSConfig) String() string {
 func (*DNSConfig) ProtoMessage() {}

 func (x *DNSConfig) ProtoReflect() protoreflect.Message {
-	mi := &file_ionscale_v1_dns_proto_msgTypes[4]
+	mi := &file_ionscale_v1_dns_proto_msgTypes[8]
 	if protoimpl.UnsafeEnabled && x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
@@ -259,7 +437,7 @@ func (x *DNSConfig) ProtoReflect() protoreflect.Message {

 // Deprecated: Use DNSConfig.ProtoReflect.Descriptor instead.
 func (*DNSConfig) Descriptor() ([]byte, []int) {
-	return file_ionscale_v1_dns_proto_rawDescGZIP(), []int{4}
+	return file_ionscale_v1_dns_proto_rawDescGZIP(), []int{8}
 }

 func (x *DNSConfig) GetMagicDns() bool {
@@ -308,7 +486,7 @@ type Routes struct {
 func (x *Routes) Reset() {
 	*x = Routes{}
 	if protoimpl.UnsafeEnabled {
-		mi := &file_ionscale_v1_dns_proto_msgTypes[5]
+		mi := &file_ionscale_v1_dns_proto_msgTypes[9]
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		ms.StoreMessageInfo(mi)
 	}
@@ -321,7 +499,7 @@ func (x *Routes) String() string {
 func (*Routes) ProtoMessage() {}

 func (x *Routes) ProtoReflect() protoreflect.Message {
-	mi := &file_ionscale_v1_dns_proto_msgTypes[5]
+	mi := &file_ionscale_v1_dns_proto_msgTypes[9]
 	if protoimpl.UnsafeEnabled && x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
@@ -334,7 +512,7 @@ func (x *Routes) ProtoReflect() protoreflect.Message {

 // Deprecated: Use Routes.ProtoReflect.Descriptor instead.
 func (*Routes) Descriptor() ([]byte, []int) {
-	return file_ionscale_v1_dns_proto_rawDescGZIP(), []int{5}
+	return file_ionscale_v1_dns_proto_rawDescGZIP(), []int{9}
 }

 func (x *Routes) GetRoutes() []string {
@@ -372,7 +550,21 @@ var file_ionscale_v1_dns_proto_rawDesc = []byte{
 	0x65, 0x12, 0x2e, 0x0a, 0x06, 0x63, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x18, 0x01, 0x20, 0x01, 0x28,
 	0x0b, 0x32, 0x16, 0x2e, 0x69, 0x6f, 0x6e, 0x73, 0x63, 0x61, 0x6c, 0x65, 0x2e, 0x76, 0x31, 0x2e,
 	0x44, 0x4e, 0x53, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x52, 0x06, 0x63, 0x6f, 0x6e, 0x66, 0x69,
-	0x67, 0x22, 0xae, 0x02, 0x0a, 0x09, 0x44, 0x4e, 0x53, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x12,
+	0x67, 0x22, 0x55, 0x0a, 0x1e, 0x45, 0x6e, 0x61, 0x62, 0x6c, 0x65, 0x48, 0x74, 0x74, 0x70, 0x73,
+	0x43, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x73, 0x52, 0x65, 0x71, 0x75,
+	0x65, 0x73, 0x74, 0x12, 0x1d, 0x0a, 0x0a, 0x74, 0x61, 0x69, 0x6c, 0x6e, 0x65, 0x74, 0x5f, 0x69,
+	0x64, 0x18, 0x01, 0x20, 0x01, 0x28, 0x04, 0x52, 0x09, 0x74, 0x61, 0x69, 0x6c, 0x6e, 0x65, 0x74,
+	0x49, 0x64, 0x12, 0x14, 0x0a, 0x05, 0x61, 0x6c, 0x69, 0x61, 0x73, 0x18, 0x02, 0x20, 0x01, 0x28,
+	0x09, 0x52, 0x05, 0x61, 0x6c, 0x69, 0x61, 0x73, 0x22, 0x21, 0x0a, 0x1f, 0x45, 0x6e, 0x61, 0x62,
+	0x6c, 0x65, 0x48, 0x74, 0x74, 0x70, 0x73, 0x43, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61,
+	0x74, 0x65, 0x73, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x40, 0x0a, 0x1f, 0x44,
+	0x69, 0x73, 0x61, 0x62, 0x6c, 0x65, 0x48, 0x74, 0x74, 0x70, 0x73, 0x43, 0x65, 0x72, 0x74, 0x69,
+	0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x73, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x12, 0x1d,
+	0x0a, 0x0a, 0x74, 0x61, 0x69, 0x6c, 0x6e, 0x65, 0x74, 0x5f, 0x69, 0x64, 0x18, 0x01, 0x20, 0x01,
+	0x28, 0x04, 0x52, 0x09, 0x74, 0x61, 0x69, 0x6c, 0x6e, 0x65, 0x74, 0x49, 0x64, 0x22, 0x22, 0x0a,
+	0x20, 0x44, 0x69, 0x73, 0x61, 0x62, 0x6c, 0x65, 0x48, 0x74, 0x74, 0x70, 0x73, 0x43, 0x65, 0x72,
+	0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x73, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73,
+	0x65, 0x22, 0xae, 0x02, 0x0a, 0x09, 0x44, 0x4e, 0x53, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x12,
 	0x1b, 0x0a, 0x09, 0x6d, 0x61, 0x67, 0x69, 0x63, 0x5f, 0x64, 0x6e, 0x73, 0x18, 0x01, 0x20, 0x01,
 	0x28, 0x08, 0x52, 0x08, 0x6d, 0x61, 0x67, 0x69, 0x63, 0x44, 0x6e, 0x73, 0x12, 0x2c, 0x0a, 0x12,
 	0x6f, 0x76, 0x65, 0x72, 0x72, 0x69, 0x64, 0x65, 0x5f, 0x6c, 0x6f, 0x63, 0x61, 0x6c, 0x5f, 0x64,
@@ -412,27 +604,31 @@ func file_ionscale_v1_dns_proto_rawDescGZIP() []byte {
 	return file_ionscale_v1_dns_proto_rawDescData
 }

-var file_ionscale_v1_dns_proto_msgTypes = make([]protoimpl.MessageInfo, 7)
+var file_ionscale_v1_dns_proto_msgTypes = make([]protoimpl.MessageInfo, 11)
 var file_ionscale_v1_dns_proto_goTypes = []interface{}{
-	(*GetDNSConfigRequest)(nil),  // 0: ionscale.v1.GetDNSConfigRequest
-	(*GetDNSConfigResponse)(nil), // 1: ionscale.v1.GetDNSConfigResponse
-	(*SetDNSConfigRequest)(nil),  // 2: ionscale.v1.SetDNSConfigRequest
-	(*SetDNSConfigResponse)(nil), // 3: ionscale.v1.SetDNSConfigResponse
-	(*DNSConfig)(nil),            // 4: ionscale.v1.DNSConfig
-	(*Routes)(nil),               // 5: ionscale.v1.Routes
-	nil,                          // 6: ionscale.v1.DNSConfig.RoutesEntry
+	(*GetDNSConfigRequest)(nil),              // 0: ionscale.v1.GetDNSConfigRequest
+	(*GetDNSConfigResponse)(nil),             // 1: ionscale.v1.GetDNSConfigResponse
+	(*SetDNSConfigRequest)(nil),              // 2: ionscale.v1.SetDNSConfigRequest
+	(*SetDNSConfigResponse)(nil),             // 3: ionscale.v1.SetDNSConfigResponse
+	(*EnableHttpsCertificatesRequest)(nil),   // 4: ionscale.v1.EnableHttpsCertificatesRequest
+	(*EnableHttpsCertificatesResponse)(nil),  // 5: ionscale.v1.EnableHttpsCertificatesResponse
+	(*DisableHttpsCertificatesRequest)(nil),  // 6: ionscale.v1.DisableHttpsCertificatesRequest
+	(*DisableHttpsCertificatesResponse)(nil), // 7: ionscale.v1.DisableHttpsCertificatesResponse
+	(*DNSConfig)(nil),                        // 8: ionscale.v1.DNSConfig
+	(*Routes)(nil),                           // 9: ionscale.v1.Routes
+	nil,                                      // 10: ionscale.v1.DNSConfig.RoutesEntry
 }
 var file_ionscale_v1_dns_proto_depIdxs = []int32{
-	4, // 0: ionscale.v1.GetDNSConfigResponse.config:type_name -> ionscale.v1.DNSConfig
-	4, // 1: ionscale.v1.SetDNSConfigRequest.config:type_name -> ionscale.v1.DNSConfig
-	4, // 2: ionscale.v1.SetDNSConfigResponse.config:type_name -> ionscale.v1.DNSConfig
-	6, // 3: ionscale.v1.DNSConfig.routes:type_name -> ionscale.v1.DNSConfig.RoutesEntry
-	5, // 4: ionscale.v1.DNSConfig.RoutesEntry.value:type_name -> ionscale.v1.Routes
-	5, // [5:5] is the sub-list for method output_type
-	5, // [5:5] is the sub-list for method input_type
-	5, // [5:5] is the sub-list for extension type_name
-	5, // [5:5] is the sub-list for extension extendee
-	0, // [0:5] is the sub-list for field type_name
+	8,  // 0: ionscale.v1.GetDNSConfigResponse.config:type_name -> ionscale.v1.DNSConfig
+	8,  // 1: ionscale.v1.SetDNSConfigRequest.config:type_name -> ionscale.v1.DNSConfig
+	8,  // 2: ionscale.v1.SetDNSConfigResponse.config:type_name -> ionscale.v1.DNSConfig
+	10, // 3: ionscale.v1.DNSConfig.routes:type_name -> ionscale.v1.DNSConfig.RoutesEntry
+	9,  // 4: ionscale.v1.DNSConfig.RoutesEntry.value:type_name -> ionscale.v1.Routes
+	5,  // [5:5] is the sub-list for method output_type
+	5,  // [5:5] is the sub-list for method input_type
+	5,  // [5:5] is the sub-list for extension type_name
+	5,  // [5:5] is the sub-list for extension extendee
+	0,  // [0:5] is the sub-list for field type_name
 }

 func init() { file_ionscale_v1_dns_proto_init() }
@@ -490,7 +686,7 @@ func file_ionscale_v1_dns_proto_init() {
 			}
 		}
 		file_ionscale_v1_dns_proto_msgTypes[4].Exporter = func(v interface{}, i int) interface{} {
-			switch v := v.(*DNSConfig); i {
+			switch v := v.(*EnableHttpsCertificatesRequest); i {
 			case 0:
 				return &v.state
 			case 1:
@@ -502,6 +698,54 @@ func file_ionscale_v1_dns_proto_init() {
 			}
 		}
 		file_ionscale_v1_dns_proto_msgTypes[5].Exporter = func(v interface{}, i int) interface{} {
+			switch v := v.(*EnableHttpsCertificatesResponse); i {
+			case 0:
+				return &v.state
+			case 1:
+				return &v.sizeCache
+			case 2:
+				return &v.unknownFields
+			default:
+				return nil
+			}
+		}
+		file_ionscale_v1_dns_proto_msgTypes[6].Exporter = func(v interface{}, i int) interface{} {
+			switch v := v.(*DisableHttpsCertificatesRequest); i {
+			case 0:
+				return &v.state
+			case 1:
+				return &v.sizeCache
+			case 2:
+				return &v.unknownFields
+			default:
+				return nil
+			}
+		}
+		file_ionscale_v1_dns_proto_msgTypes[7].Exporter = func(v interface{}, i int) interface{} {
+			switch v := v.(*DisableHttpsCertificatesResponse); i {
+			case 0:
+				return &v.state
+			case 1:
+				return &v.sizeCache
+			case 2:
+				return &v.unknownFields
+			default:
+				return nil
+			}
+		}
+		file_ionscale_v1_dns_proto_msgTypes[8].Exporter = func(v interface{}, i int) interface{} {
+			switch v := v.(*DNSConfig); i {
+			case 0:
+				return &v.state
+			case 1:
+				return &v.sizeCache
+			case 2:
+				return &v.unknownFields
+			default:
+				return nil
+			}
+		}
+		file_ionscale_v1_dns_proto_msgTypes[9].Exporter = func(v interface{}, i int) interface{} {
 			switch v := v.(*Routes); i {
 			case 0:
 				return &v.state
@@ -520,7 +764,7 @@ func file_ionscale_v1_dns_proto_init() {
 			GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
 			RawDescriptor: file_ionscale_v1_dns_proto_rawDesc,
 			NumEnums:      0,
-			NumMessages:   7,
+			NumMessages:   11,
 			NumExtensions: 0,
 			NumServices:   0,
 		},
@@ -48,7 +48,7 @@ var file_ionscale_v1_ionscale_proto_rawDesc = []byte{
 	0x6f, 0x74, 0x6f, 0x1a, 0x15, 0x69, 0x6f, 0x6e, 0x73, 0x63, 0x61, 0x6c, 0x65, 0x2f, 0x76, 0x31,
 	0x2f, 0x61, 0x63, 0x6c, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x1a, 0x16, 0x69, 0x6f, 0x6e, 0x73,
 	0x63, 0x61, 0x6c, 0x65, 0x2f, 0x76, 0x31, 0x2f, 0x64, 0x65, 0x72, 0x70, 0x2e, 0x70, 0x72, 0x6f,
-	0x74, 0x6f, 0x32, 0xff, 0x14, 0x0a, 0x0f, 0x49, 0x6f, 0x6e, 0x73, 0x63, 0x61, 0x6c, 0x65, 0x53,
+	0x74, 0x6f, 0x32, 0xf2, 0x16, 0x0a, 0x0f, 0x49, 0x6f, 0x6e, 0x73, 0x63, 0x61, 0x6c, 0x65, 0x53,
 	0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x12, 0x4f, 0x0a, 0x0a, 0x47, 0x65, 0x74, 0x56, 0x65, 0x72,
 	0x73, 0x69, 0x6f, 0x6e, 0x12, 0x1e, 0x2e, 0x69, 0x6f, 0x6e, 0x73, 0x63, 0x61, 0x6c, 0x65, 0x2e,
 	0x76, 0x31, 0x2e, 0x47, 0x65, 0x74, 0x56, 0x65, 0x72, 0x73, 0x69, 0x6f, 0x6e, 0x52, 0x65, 0x71,
@@ -216,70 +216,89 @@ var file_ionscale_v1_ionscale_proto_rawDesc = []byte{
 	0x4e, 0x6f, 0x64, 0x65, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x25, 0x2e, 0x69, 0x6f,
 	0x6e, 0x73, 0x63, 0x61, 0x6c, 0x65, 0x2e, 0x76, 0x31, 0x2e, 0x47, 0x65, 0x74, 0x4d, 0x61, 0x63,
 	0x68, 0x69, 0x6e, 0x65, 0x52, 0x6f, 0x75, 0x74, 0x65, 0x73, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e,
-	0x73, 0x65, 0x22, 0x00, 0x42, 0x3d, 0x5a, 0x3b, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63,
-	0x6f, 0x6d, 0x2f, 0x6a, 0x73, 0x69, 0x65, 0x62, 0x65, 0x6e, 0x73, 0x2f, 0x69, 0x6f, 0x6e, 0x73,
-	0x63, 0x61, 0x6c, 0x65, 0x2f, 0x70, 0x6b, 0x67, 0x2f, 0x67, 0x65, 0x6e, 0x2f, 0x69, 0x6f, 0x6e,
-	0x73, 0x63, 0x61, 0x6c, 0x65, 0x2f, 0x76, 0x31, 0x3b, 0x69, 0x6f, 0x6e, 0x73, 0x63, 0x61, 0x6c,
-	0x65, 0x76, 0x31, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
+	0x73, 0x65, 0x22, 0x00, 0x12, 0x76, 0x0a, 0x17, 0x45, 0x6e, 0x61, 0x62, 0x6c, 0x65, 0x48, 0x74,
+	0x74, 0x70, 0x73, 0x43, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x73, 0x12,
+	0x2b, 0x2e, 0x69, 0x6f, 0x6e, 0x73, 0x63, 0x61, 0x6c, 0x65, 0x2e, 0x76, 0x31, 0x2e, 0x45, 0x6e,
+	0x61, 0x62, 0x6c, 0x65, 0x48, 0x74, 0x74, 0x70, 0x73, 0x43, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69,
+	0x63, 0x61, 0x74, 0x65, 0x73, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x2c, 0x2e, 0x69,
+	0x6f, 0x6e, 0x73, 0x63, 0x61, 0x6c, 0x65, 0x2e, 0x76, 0x31, 0x2e, 0x45, 0x6e, 0x61, 0x62, 0x6c,
+	0x65, 0x48, 0x74, 0x74, 0x70, 0x73, 0x43, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74,
+	0x65, 0x73, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x00, 0x12, 0x79, 0x0a, 0x18,
+	0x44, 0x69, 0x73, 0x61, 0x62, 0x6c, 0x65, 0x48, 0x74, 0x74, 0x70, 0x73, 0x43, 0x65, 0x72, 0x74,
+	0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x73, 0x12, 0x2c, 0x2e, 0x69, 0x6f, 0x6e, 0x73, 0x63,
+	0x61, 0x6c, 0x65, 0x2e, 0x76, 0x31, 0x2e, 0x44, 0x69, 0x73, 0x61, 0x62, 0x6c, 0x65, 0x48, 0x74,
+	0x74, 0x70, 0x73, 0x43, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x73, 0x52,
+	0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x1a, 0x2d, 0x2e, 0x69, 0x6f, 0x6e, 0x73, 0x63, 0x61, 0x6c,
+	0x65, 0x2e, 0x76, 0x31, 0x2e, 0x44, 0x69, 0x73, 0x61, 0x62, 0x6c, 0x65, 0x48, 0x74, 0x74, 0x70,
+	0x73, 0x43, 0x65, 0x72, 0x74, 0x69, 0x66, 0x69, 0x63, 0x61, 0x74, 0x65, 0x73, 0x52, 0x65, 0x73,
+	0x70, 0x6f, 0x6e, 0x73, 0x65, 0x22, 0x00, 0x42, 0x3d, 0x5a, 0x3b, 0x67, 0x69, 0x74, 0x68, 0x75,
+	0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x6a, 0x73, 0x69, 0x65, 0x62, 0x65, 0x6e, 0x73, 0x2f, 0x69,
+	0x6f, 0x6e, 0x73, 0x63, 0x61, 0x6c, 0x65, 0x2f, 0x70, 0x6b, 0x67, 0x2f, 0x67, 0x65, 0x6e, 0x2f,
+	0x69, 0x6f, 0x6e, 0x73, 0x63, 0x61, 0x6c, 0x65, 0x2f, 0x76, 0x31, 0x3b, 0x69, 0x6f, 0x6e, 0x73,
+	0x63, 0x61, 0x6c, 0x65, 0x76, 0x31, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
 }

 var file_ionscale_v1_ionscale_proto_goTypes = []interface{}{
-	(*GetVersionRequest)(nil),           // 0: ionscale.v1.GetVersionRequest
-	(*AuthenticationRequest)(nil),       // 1: ionscale.v1.AuthenticationRequest
-	(*GetDERPMapRequest)(nil),           // 2: ionscale.v1.GetDERPMapRequest
-	(*SetDERPMapRequest)(nil),           // 3: ionscale.v1.SetDERPMapRequest
-	(*CreateTailnetRequest)(nil),        // 4: ionscale.v1.CreateTailnetRequest
-	(*GetTailnetRequest)(nil),           // 5: ionscale.v1.GetTailnetRequest
-	(*ListTailnetRequest)(nil),          // 6: ionscale.v1.ListTailnetRequest
-	(*DeleteTailnetRequest)(nil),        // 7: ionscale.v1.DeleteTailnetRequest
-	(*GetDNSConfigRequest)(nil),         // 8: ionscale.v1.GetDNSConfigRequest
-	(*SetDNSConfigRequest)(nil),         // 9: ionscale.v1.SetDNSConfigRequest
-	(*GetIAMPolicyRequest)(nil),         // 10: ionscale.v1.GetIAMPolicyRequest
-	(*SetIAMPolicyRequest)(nil),         // 11: ionscale.v1.SetIAMPolicyRequest
-	(*GetACLPolicyRequest)(nil),         // 12: ionscale.v1.GetACLPolicyRequest
-	(*SetACLPolicyRequest)(nil),         // 13: ionscale.v1.SetACLPolicyRequest
-	(*GetAuthKeyRequest)(nil),           // 14: ionscale.v1.GetAuthKeyRequest
-	(*CreateAuthKeyRequest)(nil),        // 15: ionscale.v1.CreateAuthKeyRequest
-	(*DeleteAuthKeyRequest)(nil),        // 16: ionscale.v1.DeleteAuthKeyRequest
-	(*ListAuthKeysRequest)(nil),         // 17: ionscale.v1.ListAuthKeysRequest
-	(*ListUsersRequest)(nil),            // 18: ionscale.v1.ListUsersRequest
-	(*DeleteUserRequest)(nil),           // 19: ionscale.v1.DeleteUserRequest
-	(*GetMachineRequest)(nil),           // 20: ionscale.v1.GetMachineRequest
-	(*ListMachinesRequest)(nil),         // 21: ionscale.v1.ListMachinesRequest
-	(*ExpireMachineRequest)(nil),        // 22: ionscale.v1.ExpireMachineRequest
-	(*DeleteMachineRequest)(nil),        // 23: ionscale.v1.DeleteMachineRequest
-	(*SetMachineKeyExpiryRequest)(nil),  // 24: ionscale.v1.SetMachineKeyExpiryRequest
-	(*GetMachineRoutesRequest)(nil),     // 25: ionscale.v1.GetMachineRoutesRequest
-	(*EnableMachineRoutesRequest)(nil),  // 26: ionscale.v1.EnableMachineRoutesRequest
-	(*DisableMachineRoutesRequest)(nil), // 27: ionscale.v1.DisableMachineRoutesRequest
-	(*EnableExitNodeRequest)(nil),       // 28: ionscale.v1.EnableExitNodeRequest
-	(*DisableExitNodeRequest)(nil),      // 29: ionscale.v1.DisableExitNodeRequest
-	(*GetVersionResponse)(nil),          // 30: ionscale.v1.GetVersionResponse
-	(*AuthenticationResponse)(nil),      // 31: ionscale.v1.AuthenticationResponse
-	(*GetDERPMapResponse)(nil),          // 32: ionscale.v1.GetDERPMapResponse
-	(*SetDERPMapResponse)(nil),          // 33: ionscale.v1.SetDERPMapResponse
-	(*CreateTailnetResponse)(nil),       // 34: ionscale.v1.CreateTailnetResponse
-	(*GetTailnetResponse)(nil),          // 35: ionscale.v1.GetTailnetResponse
-	(*ListTailnetResponse)(nil),         // 36: ionscale.v1.ListTailnetResponse
-	(*DeleteTailnetResponse)(nil),       // 37: ionscale.v1.DeleteTailnetResponse
-	(*GetDNSConfigResponse)(nil),        // 38: ionscale.v1.GetDNSConfigResponse
-	(*SetDNSConfigResponse)(nil),        // 39: ionscale.v1.SetDNSConfigResponse
-	(*GetIAMPolicyResponse)(nil),        // 40: ionscale.v1.GetIAMPolicyResponse
-	(*SetIAMPolicyResponse)(nil),        // 41: ionscale.v1.SetIAMPolicyResponse
-	(*GetACLPolicyResponse)(nil),        // 42: ionscale.v1.GetACLPolicyResponse
-	(*SetACLPolicyResponse)(nil),        // 43: ionscale.v1.SetACLPolicyResponse
-	(*GetAuthKeyResponse)(nil),          // 44: ionscale.v1.GetAuthKeyResponse
-	(*CreateAuthKeyResponse)(nil),       // 45: ionscale.v1.CreateAuthKeyResponse
-	(*DeleteAuthKeyResponse)(nil),       // 46: ionscale.v1.DeleteAuthKeyResponse
-	(*ListAuthKeysResponse)(nil),        // 47: ionscale.v1.ListAuthKeysResponse
-	(*ListUsersResponse)(nil),           // 48: ionscale.v1.ListUsersResponse
-	(*DeleteUserResponse)(nil),          // 49: ionscale.v1.DeleteUserResponse
-	(*GetMachineResponse)(nil),          // 50: ionscale.v1.GetMachineResponse
-	(*ListMachinesResponse)(nil),        // 51: ionscale.v1.ListMachinesResponse
-	(*ExpireMachineResponse)(nil),       // 52: ionscale.v1.ExpireMachineResponse
-	(*DeleteMachineResponse)(nil),       // 53: ionscale.v1.DeleteMachineResponse
-	(*SetMachineKeyExpiryResponse)(nil), // 54: ionscale.v1.SetMachineKeyExpiryResponse
-	(*GetMachineRoutesResponse)(nil),    // 55: ionscale.v1.GetMachineRoutesResponse
+	(*GetVersionRequest)(nil),                // 0: ionscale.v1.GetVersionRequest
+	(*AuthenticationRequest)(nil),            // 1: ionscale.v1.AuthenticationRequest
+	(*GetDERPMapRequest)(nil),                // 2: ionscale.v1.GetDERPMapRequest
+	(*SetDERPMapRequest)(nil),                // 3: ionscale.v1.SetDERPMapRequest
+	(*CreateTailnetRequest)(nil),             // 4: ionscale.v1.CreateTailnetRequest
+	(*GetTailnetRequest)(nil),                // 5: ionscale.v1.GetTailnetRequest
+	(*ListTailnetRequest)(nil),               // 6: ionscale.v1.ListTailnetRequest
+	(*DeleteTailnetRequest)(nil),             // 7: ionscale.v1.DeleteTailnetRequest
+	(*GetDNSConfigRequest)(nil),              // 8: ionscale.v1.GetDNSConfigRequest
+	(*SetDNSConfigRequest)(nil),              // 9: ionscale.v1.SetDNSConfigRequest
+	(*GetIAMPolicyRequest)(nil),              // 10: ionscale.v1.GetIAMPolicyRequest
+	(*SetIAMPolicyRequest)(nil),              // 11: ionscale.v1.SetIAMPolicyRequest
+	(*GetACLPolicyRequest)(nil),              // 12: ionscale.v1.GetACLPolicyRequest
+	(*SetACLPolicyRequest)(nil),              // 13: ionscale.v1.SetACLPolicyRequest
+	(*GetAuthKeyRequest)(nil),                // 14: ionscale.v1.GetAuthKeyRequest
+	(*CreateAuthKeyRequest)(nil),             // 15: ionscale.v1.CreateAuthKeyRequest
+	(*DeleteAuthKeyRequest)(nil),             // 16: ionscale.v1.DeleteAuthKeyRequest
+	(*ListAuthKeysRequest)(nil),              // 17: ionscale.v1.ListAuthKeysRequest
+	(*ListUsersRequest)(nil),                 // 18: ionscale.v1.ListUsersRequest
+	(*DeleteUserRequest)(nil),                // 19: ionscale.v1.DeleteUserRequest
+	(*GetMachineRequest)(nil),                // 20: ionscale.v1.GetMachineRequest
+	(*ListMachinesRequest)(nil),              // 21: ionscale.v1.ListMachinesRequest
+	(*ExpireMachineRequest)(nil),             // 22: ionscale.v1.ExpireMachineRequest
+	(*DeleteMachineRequest)(nil),             // 23: ionscale.v1.DeleteMachineRequest
+	(*SetMachineKeyExpiryRequest)(nil),       // 24: ionscale.v1.SetMachineKeyExpiryRequest
+	(*GetMachineRoutesRequest)(nil),          // 25: ionscale.v1.GetMachineRoutesRequest
+	(*EnableMachineRoutesRequest)(nil),       // 26: ionscale.v1.EnableMachineRoutesRequest
+	(*DisableMachineRoutesRequest)(nil),      // 27: ionscale.v1.DisableMachineRoutesRequest
+	(*EnableExitNodeRequest)(nil),            // 28: ionscale.v1.EnableExitNodeRequest
+	(*DisableExitNodeRequest)(nil),           // 29: ionscale.v1.DisableExitNodeRequest
+	(*EnableHttpsCertificatesRequest)(nil),   // 30: ionscale.v1.EnableHttpsCertificatesRequest
+	(*DisableHttpsCertificatesRequest)(nil),  // 31: ionscale.v1.DisableHttpsCertificatesRequest
+	(*GetVersionResponse)(nil),               // 32: ionscale.v1.GetVersionResponse
+	(*AuthenticationResponse)(nil),           // 33: ionscale.v1.AuthenticationResponse
+	(*GetDERPMapResponse)(nil),               // 34: ionscale.v1.GetDERPMapResponse
+	(*SetDERPMapResponse)(nil),               // 35: ionscale.v1.SetDERPMapResponse
+	(*CreateTailnetResponse)(nil),            // 36: ionscale.v1.CreateTailnetResponse
+	(*GetTailnetResponse)(nil),               // 37: ionscale.v1.GetTailnetResponse
+	(*ListTailnetResponse)(nil),              // 38: ionscale.v1.ListTailnetResponse
+	(*DeleteTailnetResponse)(nil),            // 39: ionscale.v1.DeleteTailnetResponse
+	(*GetDNSConfigResponse)(nil),             // 40: ionscale.v1.GetDNSConfigResponse
+	(*SetDNSConfigResponse)(nil),             // 41: ionscale.v1.SetDNSConfigResponse
+	(*GetIAMPolicyResponse)(nil),             // 42: ionscale.v1.GetIAMPolicyResponse
+	(*SetIAMPolicyResponse)(nil),             // 43: ionscale.v1.SetIAMPolicyResponse
+	(*GetACLPolicyResponse)(nil),             // 44: ionscale.v1.GetACLPolicyResponse
+	(*SetACLPolicyResponse)(nil),             // 45: ionscale.v1.SetACLPolicyResponse
+	(*GetAuthKeyResponse)(nil),               // 46: ionscale.v1.GetAuthKeyResponse
+	(*CreateAuthKeyResponse)(nil),            // 47: ionscale.v1.CreateAuthKeyResponse
+	(*DeleteAuthKeyResponse)(nil),            // 48: ionscale.v1.DeleteAuthKeyResponse
+	(*ListAuthKeysResponse)(nil),             // 49: ionscale.v1.ListAuthKeysResponse
+	(*ListUsersResponse)(nil),                // 50: ionscale.v1.ListUsersResponse
+	(*DeleteUserResponse)(nil),               // 51: ionscale.v1.DeleteUserResponse
+	(*GetMachineResponse)(nil),               // 52: ionscale.v1.GetMachineResponse
+	(*ListMachinesResponse)(nil),             // 53: ionscale.v1.ListMachinesResponse
+	(*ExpireMachineResponse)(nil),            // 54: ionscale.v1.ExpireMachineResponse
+	(*DeleteMachineResponse)(nil),            // 55: ionscale.v1.DeleteMachineResponse
+	(*SetMachineKeyExpiryResponse)(nil),      // 56: ionscale.v1.SetMachineKeyExpiryResponse
+	(*GetMachineRoutesResponse)(nil),         // 57: ionscale.v1.GetMachineRoutesResponse
+	(*EnableHttpsCertificatesResponse)(nil),  // 58: ionscale.v1.EnableHttpsCertificatesResponse
+	(*DisableHttpsCertificatesResponse)(nil), // 59: ionscale.v1.DisableHttpsCertificatesResponse
 }
 var file_ionscale_v1_ionscale_proto_depIdxs = []int32{
 	0,  // 0: ionscale.v1.IonscaleService.GetVersion:input_type -> ionscale.v1.GetVersionRequest
@@ -312,38 +331,42 @@ var file_ionscale_v1_ionscale_proto_depIdxs = []int32{
 	27, // 27: ionscale.v1.IonscaleService.DisableMachineRoutes:input_type -> ionscale.v1.DisableMachineRoutesRequest
 	28, // 28: ionscale.v1.IonscaleService.EnableExitNode:input_type -> ionscale.v1.EnableExitNodeRequest
 	29, // 29: ionscale.v1.IonscaleService.DisableExitNode:input_type -> ionscale.v1.DisableExitNodeRequest
-	30, // 30: ionscale.v1.IonscaleService.GetVersion:output_type -> ionscale.v1.GetVersionResponse
-	31, // 31: ionscale.v1.IonscaleService.Authenticate:output_type -> ionscale.v1.AuthenticationResponse
-	32, // 32: ionscale.v1.IonscaleService.GetDERPMap:output_type -> ionscale.v1.GetDERPMapResponse
-	33, // 33: ionscale.v1.IonscaleService.SetDERPMap:output_type -> ionscale.v1.SetDERPMapResponse
-	34, // 34: ionscale.v1.IonscaleService.CreateTailnet:output_type -> ionscale.v1.CreateTailnetResponse
-	35, // 35: ionscale.v1.IonscaleService.GetTailnet:output_type -> ionscale.v1.GetTailnetResponse
-	36, // 36: ionscale.v1.IonscaleService.ListTailnets:output_type -> ionscale.v1.ListTailnetResponse
-	37, // 37: ionscale.v1.IonscaleService.DeleteTailnet:output_type -> ionscale.v1.DeleteTailnetResponse
-	38, // 38: ionscale.v1.IonscaleService.GetDNSConfig:output_type -> ionscale.v1.GetDNSConfigResponse
-	39, // 39: ionscale.v1.IonscaleService.SetDNSConfig:output_type -> ionscale.v1.SetDNSConfigResponse
-	40, // 40: ionscale.v1.IonscaleService.GetIAMPolicy:output_type -> ionscale.v1.GetIAMPolicyResponse
-	41, // 41: ionscale.v1.IonscaleService.SetIAMPolicy:output_type -> ionscale.v1.SetIAMPolicyResponse
-	42, // 42: ionscale.v1.IonscaleService.GetACLPolicy:output_type -> ionscale.v1.GetACLPolicyResponse
-	43, // 43: ionscale.v1.IonscaleService.SetACLPolicy:output_type -> ionscale.v1.SetACLPolicyResponse
-	44, // 44: ionscale.v1.IonscaleService.GetAuthKey:output_type -> ionscale.v1.GetAuthKeyResponse
-	45, // 45: ionscale.v1.IonscaleService.CreateAuthKey:output_type -> ionscale.v1.CreateAuthKeyResponse
-	46, // 46: ionscale.v1.IonscaleService.DeleteAuthKey:output_type -> ionscale.v1.DeleteAuthKeyResponse
-	47, // 47: ionscale.v1.IonscaleService.ListAuthKeys:output_type -> ionscale.v1.ListAuthKeysResponse
-	48, // 48: ionscale.v1.IonscaleService.ListUsers:output_type -> ionscale.v1.ListUsersResponse
-	49, // 49: ionscale.v1.IonscaleService.DeleteUser:output_type -> ionscale.v1.DeleteUserResponse
-	50, // 50: ionscale.v1.IonscaleService.GetMachine:output_type -> ionscale.v1.GetMachineResponse
-	51, // 51: ionscale.v1.IonscaleService.ListMachines:output_type -> ionscale.v1.ListMachinesResponse
-	52, // 52: ionscale.v1.IonscaleService.ExpireMachine:output_type -> ionscale.v1.ExpireMachineResponse
-	53, // 53: ionscale.v1.IonscaleService.DeleteMachine:output_type -> ionscale.v1.DeleteMachineResponse
-	54, // 54: ionscale.v1.IonscaleService.SetMachineKeyExpiry:output_type -> ionscale.v1.SetMachineKeyExpiryResponse
-	55, // 55: ionscale.v1.IonscaleService.GetMachineRoutes:output_type -> ionscale.v1.GetMachineRoutesResponse
-	55, // 56: ionscale.v1.IonscaleService.EnableMachineRoutes:output_type -> ionscale.v1.GetMachineRoutesResponse
-	55, // 57: ionscale.v1.IonscaleService.DisableMachineRoutes:output_type -> ionscale.v1.GetMachineRoutesResponse
-	55, // 58: ionscale.v1.IonscaleService.EnableExitNode:output_type -> ionscale.v1.GetMachineRoutesResponse
-	55, // 59: ionscale.v1.IonscaleService.DisableExitNode:output_type -> ionscale.v1.GetMachineRoutesResponse
-	30, // [30:60] is the sub-list for method output_type
-	0,  // [0:30] is the sub-list for method input_type
+	30, // 30: ionscale.v1.IonscaleService.EnableHttpsCertificates:input_type -> ionscale.v1.EnableHttpsCertificatesRequest
+	31, // 31: ionscale.v1.IonscaleService.DisableHttpsCertificates:input_type -> ionscale.v1.DisableHttpsCertificatesRequest
+	32, // 32: ionscale.v1.IonscaleService.GetVersion:output_type -> ionscale.v1.GetVersionResponse
+	33, // 33: ionscale.v1.IonscaleService.Authenticate:output_type -> ionscale.v1.AuthenticationResponse
+	34, // 34: ionscale.v1.IonscaleService.GetDERPMap:output_type -> ionscale.v1.GetDERPMapResponse
+	35, // 35: ionscale.v1.IonscaleService.SetDERPMap:output_type -> ionscale.v1.SetDERPMapResponse
+	36, // 36: ionscale.v1.IonscaleService.CreateTailnet:output_type -> ionscale.v1.CreateTailnetResponse
+	37, // 37: ionscale.v1.IonscaleService.GetTailnet:output_type -> ionscale.v1.GetTailnetResponse
+	38, // 38: ionscale.v1.IonscaleService.ListTailnets:output_type -> ionscale.v1.ListTailnetResponse
+	39, // 39: ionscale.v1.IonscaleService.DeleteTailnet:output_type -> ionscale.v1.DeleteTailnetResponse
+	40, // 40: ionscale.v1.IonscaleService.GetDNSConfig:output_type -> ionscale.v1.GetDNSConfigResponse
+	41, // 41: ionscale.v1.IonscaleService.SetDNSConfig:output_type -> ionscale.v1.SetDNSConfigResponse
+	42, // 42: ionscale.v1.IonscaleService.GetIAMPolicy:output_type -> ionscale.v1.GetIAMPolicyResponse
+	43, // 43: ionscale.v1.IonscaleService.SetIAMPolicy:output_type -> ionscale.v1.SetIAMPolicyResponse
+	44, // 44: ionscale.v1.IonscaleService.GetACLPolicy:output_type -> ionscale.v1.GetACLPolicyResponse
+	45, // 45: ionscale.v1.IonscaleService.SetACLPolicy:output_type -> ionscale.v1.SetACLPolicyResponse
+	46, // 46: ionscale.v1.IonscaleService.GetAuthKey:output_type -> ionscale.v1.GetAuthKeyResponse
+	47, // 47: ionscale.v1.IonscaleService.CreateAuthKey:output_type -> ionscale.v1.CreateAuthKeyResponse
+	48, // 48: ionscale.v1.IonscaleService.DeleteAuthKey:output_type -> ionscale.v1.DeleteAuthKeyResponse
+	49, // 49: ionscale.v1.IonscaleService.ListAuthKeys:output_type -> ionscale.v1.ListAuthKeysResponse
+	50, // 50: ionscale.v1.IonscaleService.ListUsers:output_type -> ionscale.v1.ListUsersResponse
+	51, // 51: ionscale.v1.IonscaleService.DeleteUser:output_type -> ionscale.v1.DeleteUserResponse
+	52, // 52: ionscale.v1.IonscaleService.GetMachine:output_type -> ionscale.v1.GetMachineResponse
+	53, // 53: ionscale.v1.IonscaleService.ListMachines:output_type -> ionscale.v1.ListMachinesResponse
+	54, // 54: ionscale.v1.IonscaleService.ExpireMachine:output_type -> ionscale.v1.ExpireMachineResponse
+	55, // 55: ionscale.v1.IonscaleService.DeleteMachine:output_type -> ionscale.v1.DeleteMachineResponse
+	56, // 56: ionscale.v1.IonscaleService.SetMachineKeyExpiry:output_type -> ionscale.v1.SetMachineKeyExpiryResponse
+	57, // 57: ionscale.v1.IonscaleService.GetMachineRoutes:output_type -> ionscale.v1.GetMachineRoutesResponse
+	57, // 58: ionscale.v1.IonscaleService.EnableMachineRoutes:output_type -> ionscale.v1.GetMachineRoutesResponse
+	57, // 59: ionscale.v1.IonscaleService.DisableMachineRoutes:output_type -> ionscale.v1.GetMachineRoutesResponse
+	57, // 60: ionscale.v1.IonscaleService.EnableExitNode:output_type -> ionscale.v1.GetMachineRoutesResponse
+	57, // 61: ionscale.v1.IonscaleService.DisableExitNode:output_type -> ionscale.v1.GetMachineRoutesResponse
+	58, // 62: ionscale.v1.IonscaleService.EnableHttpsCertificates:output_type -> ionscale.v1.EnableHttpsCertificatesResponse
+	59, // 63: ionscale.v1.IonscaleService.DisableHttpsCertificates:output_type -> ionscale.v1.DisableHttpsCertificatesResponse
+	32, // [32:64] is the sub-list for method output_type
+	0,  // [0:32] is the sub-list for method input_type
 	0,  // [0:0] is the sub-list for extension type_name
 	0,  // [0:0] is the sub-list for extension extendee
 	0,  // [0:0] is the sub-list for field type_name
@@ -57,6 +57,8 @@ type IonscaleServiceClient interface {
 	DisableMachineRoutes(context.Context, *connect_go.Request[v1.DisableMachineRoutesRequest]) (*connect_go.Response[v1.GetMachineRoutesResponse], error)
 	EnableExitNode(context.Context, *connect_go.Request[v1.EnableExitNodeRequest]) (*connect_go.Response[v1.GetMachineRoutesResponse], error)
 	DisableExitNode(context.Context, *connect_go.Request[v1.DisableExitNodeRequest]) (*connect_go.Response[v1.GetMachineRoutesResponse], error)
+	EnableHttpsCertificates(context.Context, *connect_go.Request[v1.EnableHttpsCertificatesRequest]) (*connect_go.Response[v1.EnableHttpsCertificatesResponse], error)
+	DisableHttpsCertificates(context.Context, *connect_go.Request[v1.DisableHttpsCertificatesRequest]) (*connect_go.Response[v1.DisableHttpsCertificatesResponse], error)
 }

 // NewIonscaleServiceClient constructs a client for the ionscale.v1.IonscaleService service. By
@@ -219,41 +221,53 @@ func NewIonscaleServiceClient(httpClient connect_go.HTTPClient, baseURL string,
 			baseURL+"/ionscale.v1.IonscaleService/DisableExitNode",
 			opts...,
 		),
+		enableHttpsCertificates: connect_go.NewClient[v1.EnableHttpsCertificatesRequest, v1.EnableHttpsCertificatesResponse](
+			httpClient,
+			baseURL+"/ionscale.v1.IonscaleService/EnableHttpsCertificates",
+			opts...,
+		),
+		disableHttpsCertificates: connect_go.NewClient[v1.DisableHttpsCertificatesRequest, v1.DisableHttpsCertificatesResponse](
+			httpClient,
+			baseURL+"/ionscale.v1.IonscaleService/DisableHttpsCertificates",
+			opts...,
+		),
 	}
 }

 // ionscaleServiceClient implements IonscaleServiceClient.
 type ionscaleServiceClient struct {
-	getVersion           *connect_go.Client[v1.GetVersionRequest, v1.GetVersionResponse]
-	authenticate         *connect_go.Client[v1.AuthenticationRequest, v1.AuthenticationResponse]
-	getDERPMap           *connect_go.Client[v1.GetDERPMapRequest, v1.GetDERPMapResponse]
-	setDERPMap           *connect_go.Client[v1.SetDERPMapRequest, v1.SetDERPMapResponse]
-	createTailnet        *connect_go.Client[v1.CreateTailnetRequest, v1.CreateTailnetResponse]
-	getTailnet           *connect_go.Client[v1.GetTailnetRequest, v1.GetTailnetResponse]
-	listTailnets         *connect_go.Client[v1.ListTailnetRequest, v1.ListTailnetResponse]
-	deleteTailnet        *connect_go.Client[v1.DeleteTailnetRequest, v1.DeleteTailnetResponse]
-	getDNSConfig         *connect_go.Client[v1.GetDNSConfigRequest, v1.GetDNSConfigResponse]
-	setDNSConfig         *connect_go.Client[v1.SetDNSConfigRequest, v1.SetDNSConfigResponse]
-	getIAMPolicy         *connect_go.Client[v1.GetIAMPolicyRequest, v1.GetIAMPolicyResponse]
-	setIAMPolicy         *connect_go.Client[v1.SetIAMPolicyRequest, v1.SetIAMPolicyResponse]
-	getACLPolicy         *connect_go.Client[v1.GetACLPolicyRequest, v1.GetACLPolicyResponse]
-	setACLPolicy         *connect_go.Client[v1.SetACLPolicyRequest, v1.SetACLPolicyResponse]
-	getAuthKey           *connect_go.Client[v1.GetAuthKeyRequest, v1.GetAuthKeyResponse]
-	createAuthKey        *connect_go.Client[v1.CreateAuthKeyRequest, v1.CreateAuthKeyResponse]
-	deleteAuthKey        *connect_go.Client[v1.DeleteAuthKeyRequest, v1.DeleteAuthKeyResponse]
-	listAuthKeys         *connect_go.Client[v1.ListAuthKeysRequest, v1.ListAuthKeysResponse]
-	listUsers            *connect_go.Client[v1.ListUsersRequest, v1.ListUsersResponse]
-	deleteUser           *connect_go.Client[v1.DeleteUserRequest, v1.DeleteUserResponse]
-	getMachine           *connect_go.Client[v1.GetMachineRequest, v1.GetMachineResponse]
-	listMachines         *connect_go.Client[v1.ListMachinesRequest, v1.ListMachinesResponse]
-	expireMachine        *connect_go.Client[v1.ExpireMachineRequest, v1.ExpireMachineResponse]
-	deleteMachine        *connect_go.Client[v1.DeleteMachineRequest, v1.DeleteMachineResponse]
-	setMachineKeyExpiry  *connect_go.Client[v1.SetMachineKeyExpiryRequest, v1.SetMachineKeyExpiryResponse]
-	getMachineRoutes     *connect_go.Client[v1.GetMachineRoutesRequest, v1.GetMachineRoutesResponse]
-	enableMachineRoutes  *connect_go.Client[v1.EnableMachineRoutesRequest, v1.GetMachineRoutesResponse]
-	disableMachineRoutes *connect_go.Client[v1.DisableMachineRoutesRequest, v1.GetMachineRoutesResponse]
-	enableExitNode       *connect_go.Client[v1.EnableExitNodeRequest, v1.GetMachineRoutesResponse]
-	disableExitNode      *connect_go.Client[v1.DisableExitNodeRequest, v1.GetMachineRoutesResponse]
+	getVersion               *connect_go.Client[v1.GetVersionRequest, v1.GetVersionResponse]
+	authenticate             *connect_go.Client[v1.AuthenticationRequest, v1.AuthenticationResponse]
+	getDERPMap               *connect_go.Client[v1.GetDERPMapRequest, v1.GetDERPMapResponse]
+	setDERPMap               *connect_go.Client[v1.SetDERPMapRequest, v1.SetDERPMapResponse]
+	createTailnet            *connect_go.Client[v1.CreateTailnetRequest, v1.CreateTailnetResponse]
+	getTailnet               *connect_go.Client[v1.GetTailnetRequest, v1.GetTailnetResponse]
+	listTailnets             *connect_go.Client[v1.ListTailnetRequest, v1.ListTailnetResponse]
+	deleteTailnet            *connect_go.Client[v1.DeleteTailnetRequest, v1.DeleteTailnetResponse]
+	getDNSConfig             *connect_go.Client[v1.GetDNSConfigRequest, v1.GetDNSConfigResponse]
+	setDNSConfig             *connect_go.Client[v1.SetDNSConfigRequest, v1.SetDNSConfigResponse]
+	getIAMPolicy             *connect_go.Client[v1.GetIAMPolicyRequest, v1.GetIAMPolicyResponse]
+	setIAMPolicy             *connect_go.Client[v1.SetIAMPolicyRequest, v1.SetIAMPolicyResponse]
+	getACLPolicy             *connect_go.Client[v1.GetACLPolicyRequest, v1.GetACLPolicyResponse]
+	setACLPolicy             *connect_go.Client[v1.SetACLPolicyRequest, v1.SetACLPolicyResponse]
+	getAuthKey               *connect_go.Client[v1.GetAuthKeyRequest, v1.GetAuthKeyResponse]
+	createAuthKey            *connect_go.Client[v1.CreateAuthKeyRequest, v1.CreateAuthKeyResponse]
+	deleteAuthKey            *connect_go.Client[v1.DeleteAuthKeyRequest, v1.DeleteAuthKeyResponse]
+	listAuthKeys             *connect_go.Client[v1.ListAuthKeysRequest, v1.ListAuthKeysResponse]
+	listUsers                *connect_go.Client[v1.ListUsersRequest, v1.ListUsersResponse]
+	deleteUser               *connect_go.Client[v1.DeleteUserRequest, v1.DeleteUserResponse]
+	getMachine               *connect_go.Client[v1.GetMachineRequest, v1.GetMachineResponse]
+	listMachines             *connect_go.Client[v1.ListMachinesRequest, v1.ListMachinesResponse]
+	expireMachine            *connect_go.Client[v1.ExpireMachineRequest, v1.ExpireMachineResponse]
+	deleteMachine            *connect_go.Client[v1.DeleteMachineRequest, v1.DeleteMachineResponse]
+	setMachineKeyExpiry      *connect_go.Client[v1.SetMachineKeyExpiryRequest, v1.SetMachineKeyExpiryResponse]
+	getMachineRoutes         *connect_go.Client[v1.GetMachineRoutesRequest, v1.GetMachineRoutesResponse]
+	enableMachineRoutes      *connect_go.Client[v1.EnableMachineRoutesRequest, v1.GetMachineRoutesResponse]
+	disableMachineRoutes     *connect_go.Client[v1.DisableMachineRoutesRequest, v1.GetMachineRoutesResponse]
+	enableExitNode           *connect_go.Client[v1.EnableExitNodeRequest, v1.GetMachineRoutesResponse]
+	disableExitNode          *connect_go.Client[v1.DisableExitNodeRequest, v1.GetMachineRoutesResponse]
+	enableHttpsCertificates  *connect_go.Client[v1.EnableHttpsCertificatesRequest, v1.EnableHttpsCertificatesResponse]
+	disableHttpsCertificates *connect_go.Client[v1.DisableHttpsCertificatesRequest, v1.DisableHttpsCertificatesResponse]
 }

 // GetVersion calls ionscale.v1.IonscaleService.GetVersion.
@@ -406,6 +420,16 @@ func (c *ionscaleServiceClient) DisableExitNode(ctx context.Context, req *connec
 	return c.disableExitNode.CallUnary(ctx, req)
 }

+// EnableHttpsCertificates calls ionscale.v1.IonscaleService.EnableHttpsCertificates.
+func (c *ionscaleServiceClient) EnableHttpsCertificates(ctx context.Context, req *connect_go.Request[v1.EnableHttpsCertificatesRequest]) (*connect_go.Response[v1.EnableHttpsCertificatesResponse], error) {
+	return c.enableHttpsCertificates.CallUnary(ctx, req)
+}
+
+// DisableHttpsCertificates calls ionscale.v1.IonscaleService.DisableHttpsCertificates.
+func (c *ionscaleServiceClient) DisableHttpsCertificates(ctx context.Context, req *connect_go.Request[v1.DisableHttpsCertificatesRequest]) (*connect_go.Response[v1.DisableHttpsCertificatesResponse], error) {
+	return c.disableHttpsCertificates.CallUnary(ctx, req)
+}
+
 // IonscaleServiceHandler is an implementation of the ionscale.v1.IonscaleService service.
 type IonscaleServiceHandler interface {
 	GetVersion(context.Context, *connect_go.Request[v1.GetVersionRequest]) (*connect_go.Response[v1.GetVersionResponse], error)
@@ -438,6 +462,8 @@ type IonscaleServiceHandler interface {
 	DisableMachineRoutes(context.Context, *connect_go.Request[v1.DisableMachineRoutesRequest]) (*connect_go.Response[v1.GetMachineRoutesResponse], error)
 	EnableExitNode(context.Context, *connect_go.Request[v1.EnableExitNodeRequest]) (*connect_go.Response[v1.GetMachineRoutesResponse], error)
 	DisableExitNode(context.Context, *connect_go.Request[v1.DisableExitNodeRequest]) (*connect_go.Response[v1.GetMachineRoutesResponse], error)
+	EnableHttpsCertificates(context.Context, *connect_go.Request[v1.EnableHttpsCertificatesRequest]) (*connect_go.Response[v1.EnableHttpsCertificatesResponse], error)
+	DisableHttpsCertificates(context.Context, *connect_go.Request[v1.DisableHttpsCertificatesRequest]) (*connect_go.Response[v1.DisableHttpsCertificatesResponse], error)
 }

 // NewIonscaleServiceHandler builds an HTTP handler from the service implementation. It returns the
@@ -597,6 +623,16 @@ func NewIonscaleServiceHandler(svc IonscaleServiceHandler, opts ...connect_go.Ha
 		svc.DisableExitNode,
 		opts...,
 	))
+	mux.Handle("/ionscale.v1.IonscaleService/EnableHttpsCertificates", connect_go.NewUnaryHandler(
+		"/ionscale.v1.IonscaleService/EnableHttpsCertificates",
+		svc.EnableHttpsCertificates,
+		opts...,
+	))
+	mux.Handle("/ionscale.v1.IonscaleService/DisableHttpsCertificates", connect_go.NewUnaryHandler(
+		"/ionscale.v1.IonscaleService/DisableHttpsCertificates",
+		svc.DisableHttpsCertificates,
+		opts...,
+	))
 	return "/ionscale.v1.IonscaleService/", mux
 }

@@ -722,3 +758,11 @@ func (UnimplementedIonscaleServiceHandler) EnableExitNode(context.Context, *conn
 func (UnimplementedIonscaleServiceHandler) DisableExitNode(context.Context, *connect_go.Request[v1.DisableExitNodeRequest]) (*connect_go.Response[v1.GetMachineRoutesResponse], error) {
 	return nil, connect_go.NewError(connect_go.CodeUnimplemented, errors.New("ionscale.v1.IonscaleService.DisableExitNode is not implemented"))
 }
+
+func (UnimplementedIonscaleServiceHandler) EnableHttpsCertificates(context.Context, *connect_go.Request[v1.EnableHttpsCertificatesRequest]) (*connect_go.Response[v1.EnableHttpsCertificatesResponse], error) {
+	return nil, connect_go.NewError(connect_go.CodeUnimplemented, errors.New("ionscale.v1.IonscaleService.EnableHttpsCertificates is not implemented"))
+}
+
+func (UnimplementedIonscaleServiceHandler) DisableHttpsCertificates(context.Context, *connect_go.Request[v1.DisableHttpsCertificatesRequest]) (*connect_go.Response[v1.DisableHttpsCertificatesResponse], error) {
+	return nil, connect_go.NewError(connect_go.CodeUnimplemented, errors.New("ionscale.v1.IonscaleService.DisableHttpsCertificates is not implemented"))
+}
@@ -23,6 +23,21 @@ message SetDNSConfigResponse {
  DNSConfig config = 1;
 }

+message EnableHttpsCertificatesRequest {
+  uint64 tailnet_id = 1;
+  string alias = 2;
+}
+
+message EnableHttpsCertificatesResponse {
+}
+
+message DisableHttpsCertificatesRequest {
+  uint64 tailnet_id = 1;
+}
+
+message DisableHttpsCertificatesResponse {
+}
+
 message DNSConfig {
  bool magic_dns = 1;
  bool override_local_dns = 2;
@@ -58,4 +58,6 @@ service IonscaleService {
  rpc DisableMachineRoutes (DisableMachineRoutesRequest) returns (GetMachineRoutesResponse) {}
  rpc EnableExitNode (EnableExitNodeRequest) returns (GetMachineRoutesResponse) {}
  rpc DisableExitNode (DisableExitNodeRequest) returns (GetMachineRoutesResponse) {}
+  rpc EnableHttpsCertificates (EnableHttpsCertificatesRequest) returns (EnableHttpsCertificatesResponse) {}
+  rpc DisableHttpsCertificates (DisableHttpsCertificatesRequest) returns (DisableHttpsCertificatesResponse) {}
 }
Author	SHA1	Message	Date
Johan Siebens	2e57338b54	feat: add id token handler	2022-09-30 16:13:25 +02:00
Johan Siebens	7cadcc9085	fix: move auth config a level deeper	2022-09-30 15:39:19 +02:00
Johan Siebens	22cfe60c7d	feat: add support for https certs	2022-09-30 15:31:57 +02:00