diff --git a/integration/auth_key_test.go b/integration/auth_key_test.go
index 1352a02b..c043dc36 100644
--- a/integration/auth_key_test.go
+++ b/integration/auth_key_test.go
@@ -16,6 +16,16 @@ import (
 	"github.com/stretchr/testify/require"
 )
 
+// TestAuthKeyLogoutAndReloginSameUser tests the scenario where a set of nodes
+// are logged out and then logged back in as the same user. This test ensures
+// that the nodes can successfully re-authenticate and that their IP addresses
+// remain the same after re-login.
+//
+// The test sets up a scenario with two users, each with a set of nodes. It
+// then logs out all nodes, and then logs them back in using a new pre-
+// authenticated key for the same user. The test verifies that the node count
+// remains the same and that the nodes can still ping each other after re-
+// login.
 func TestAuthKeyLogoutAndReloginSameUser(t *testing.T) {
 	IntegrationSkip(t)
 
@@ -174,10 +184,15 @@ func assertLastSeenSet(t *testing.T, node *v1.Node) {
 	assert.NotNil(t, node.GetLastSeen())
 }
 
-// This test will first log in two sets of nodes to two sets of users, then
-// it will log out all users from user2 and log them in as user1.
-// This should leave us with all nodes connected to user1, while user2
-// still has nodes, but they are not connected.
+// TestAuthKeyLogoutAndReloginNewUser tests the scenario where a set of nodes
+// are logged out from one user and then logged back in as a different user.
+// This test ensures that the nodes are correctly associated with the new user
+// and that the old user's nodes are no longer connected.
+//
+// The test sets up a scenario with two users, each with a set of nodes. It
+// then logs out all nodes and logs them all back in as user1. The test
+// verifies that all nodes are now associated with user1, and that user2 has
+// no connected nodes.
 func TestAuthKeyLogoutAndReloginNewUser(t *testing.T) {
 	IntegrationSkip(t)
 
@@ -268,6 +283,14 @@ func TestAuthKeyLogoutAndReloginNewUser(t *testing.T) {
 	}
 }
 
+// TestAuthKeyLogoutAndReloginSameUserExpiredKey tests that a node cannot log
+// back in with an expired pre-authenticated key.
+//
+// The test sets up a scenario with two users and their nodes. It then logs
+// out all nodes, creates a new pre-authenticated key for each user, and then
+// expires the key. The test then attempts to log the nodes back in with the
+// expired key and verifies that the authentication fails with the expected
+// error message.
 func TestAuthKeyLogoutAndReloginSameUserExpiredKey(t *testing.T) {
 	IntegrationSkip(t)
 
diff --git a/integration/auth_oidc_test.go b/integration/auth_oidc_test.go
index d118b643..e13c938c 100644
--- a/integration/auth_oidc_test.go
+++ b/integration/auth_oidc_test.go
@@ -17,6 +17,14 @@ import (
 	"github.com/stretchr/testify/assert"
 )
 
+// TestOIDCAuthenticationPingAll tests the OIDC authentication flow and verifies
+// that all nodes can ping each other after successful authentication.
+//
+// This test sets up a scenario with two users and their corresponding nodes.
+// It configures Headscale with an OIDC provider and then simulates the OIDC
+// login flow for each node. After the nodes are authenticated, it checks that
+// they can all ping each other, ensuring that the OIDC authentication is
+// working correctly and that the nodes are properly connected to the network.
 func TestOIDCAuthenticationPingAll(t *testing.T) {
 	IntegrationSkip(t)
 
@@ -113,7 +121,14 @@ func TestOIDCAuthenticationPingAll(t *testing.T) {
 	}
 }
 
-// This test is really flaky.
+// TestOIDCExpireNodesBasedOnTokenExpiry tests that nodes are automatically
+// expired when their OIDC token expires.
+//
+// This test sets up a scenario with a short OIDC token expiry time. It then
+// authenticates the nodes and verifies that they can communicate. After waiting
+// for the token to expire, it checks that the nodes are logged out and can no
+// longer communicate, ensuring that the token expiry mechanism is working as
+// expected.
 func TestOIDCExpireNodesBasedOnTokenExpiry(t *testing.T) {
 	IntegrationSkip(t)
 
@@ -179,6 +194,15 @@ func TestOIDCExpireNodesBasedOnTokenExpiry(t *testing.T) {
 	}, shortAccessTTL+10*time.Second, 5*time.Second)
 }
 
+// TestOIDC024UserCreation tests the user creation process when using OIDC
+// authentication, covering different scenarios of user migration and email
+// verification.
+//
+// This is a table-driven test that sets up various scenarios with different
+// OIDC configurations, such as whether the email is verified and whether the
+// domain is stripped from the username. It then verifies that the users are
+// created correctly in Headscale with the expected properties, ensuring that
+// the user creation and migration logic is working as intended.
 func TestOIDC024UserCreation(t *testing.T) {
 	IntegrationSkip(t)
 
@@ -346,6 +370,13 @@ func TestOIDC024UserCreation(t *testing.T) {
 	}
 }
 
+// TestOIDCAuthenticationWithPKCE tests the OIDC authentication flow with PKCE
+// (Proof Key for Code Exchange) enabled.
+//
+// This test sets up a scenario with a single user and node. It configures
+// Headscale to use OIDC with PKCE enabled. It then simulates the OIDC login
+// flow and verifies that the node can successfully authenticate and connect to
+// the network. This ensures that the PKCE implementation is working correctly.
 func TestOIDCAuthenticationWithPKCE(t *testing.T) {
 	IntegrationSkip(t)
 
@@ -397,6 +428,15 @@ func TestOIDCAuthenticationWithPKCE(t *testing.T) {
 	t.Logf("%d successful pings out of %d", success, len(allClients)*len(allIps))
 }
 
+// TestOIDCReloginSameNodeNewUser tests the scenario where a node is logged out
+// from one user and then logged back in as a different user.
+//
+// This test sets up a scenario with a single node and two OIDC users. It first
+// logs in the node as user1, then logs it out and logs it back in as user2.
+// Finally, it logs the node out again and logs it back in as user1. The test
+// verifies that the node is correctly associated with the new user after each
+// re-login, and that the node's machine key remains the same while the node
+// key changes.
 func TestOIDCReloginSameNodeNewUser(t *testing.T) {
 	IntegrationSkip(t)
 
diff --git a/integration/auth_web_flow_test.go b/integration/auth_web_flow_test.go
index 56c05e62..f4784e7e 100644
--- a/integration/auth_web_flow_test.go
+++ b/integration/auth_web_flow_test.go
@@ -12,6 +12,14 @@ import (
 	"github.com/stretchr/testify/assert"
 )
 
+// TestAuthWebFlowAuthenticationPingAll tests the web authentication flow and
+// verifies that all nodes can ping each other after successful authentication.
+//
+// This test sets up a scenario with two users and their corresponding nodes.
+// It configures Headscale with a login URL and then simulates the web login
+// flow for each node. After the nodes are authenticated, it checks that they
+// can all ping each other, ensuring that the web authentication is working
+// correctly and that the nodes are properly connected to the network.
 func TestAuthWebFlowAuthenticationPingAll(t *testing.T) {
 	IntegrationSkip(t)
 
@@ -53,6 +61,15 @@ func TestAuthWebFlowAuthenticationPingAll(t *testing.T) {
 	t.Logf("%d successful pings out of %d", success, len(allClients)*len(allIps))
 }
 
+// TestAuthWebFlowLogoutAndRelogin tests the scenario where a set of nodes are
+// logged out and then logged back in using the web authentication flow.
+//
+// This test sets up a scenario with two users and their nodes. It first logs
+// them in using the web flow and verifies that they can communicate. It then
+// logs out all nodes and logs them back in again using the same web flow. The
+// test verifies that the nodes can successfully re-authenticate, that their IP
+// addresses remain the same, and that they can still ping each other after
+// re-login.
 func TestAuthWebFlowLogoutAndRelogin(t *testing.T) {
 	IntegrationSkip(t)
 
diff --git a/integration/derp_verify_endpoint_test.go b/integration/derp_verify_endpoint_test.go
index 4a5e52ae..448f0703 100644
--- a/integration/derp_verify_endpoint_test.go
+++ b/integration/derp_verify_endpoint_test.go
@@ -18,6 +18,14 @@ import (
 	"tailscale.com/types/key"
 )
 
+// TestDERPVerifyEndpoint tests that the DERP server can successfully verify the
+// client's identity with the Headscale server.
+//
+// This test sets up a scenario with a Headscale server and a DERP server. The
+// DERP server is configured to verify clients with the Headscale server. The
+// test then creates a set of Tailscale clients and verifies that they can
+// successfully connect to the DERP server. It also tests that a client with a
+// fake key cannot connect, ensuring that the verification is working correctly.
 func TestDERPVerifyEndpoint(t *testing.T) {
 	IntegrationSkip(t)
 
diff --git a/integration/dns_test.go b/integration/dns_test.go
index 7cac4d47..3ab0f6f9 100644
--- a/integration/dns_test.go
+++ b/integration/dns_test.go
@@ -13,6 +13,14 @@ import (
 	"tailscale.com/tailcfg"
 )
 
+// TestResolveMagicDNS tests that MagicDNS is working correctly by resolving the
+// FQDNs of all nodes in the network.
+//
+// This test sets up a scenario with two users and their corresponding nodes.
+// It then iterates through all clients and attempts to resolve the FQDN of
+// every other client. It verifies that the resolved IP addresses match the
+// actual IP addresses of the peer, ensuring that MagicDNS is correctly
+// configured and functioning.
 func TestResolveMagicDNS(t *testing.T) {
 	IntegrationSkip(t)
 
@@ -69,6 +77,15 @@ func TestResolveMagicDNS(t *testing.T) {
 	}
 }
 
+// TestResolveMagicDNSExtraRecordsPath tests the functionality of providing
+// extra DNS records to Headscale through a file.
+//
+// This test sets up a scenario with a Headscale instance configured to read
+// extra DNS records from a JSON file. It then verifies that the clients can
+// resolve the records defined in the file. The test also covers dynamic
+// updates to the file, including moving, copying, and deleting the file, to
+// ensure that Headscale correctly reloads the records and updates the DNS
+// configuration for the clients.
 func TestResolveMagicDNSExtraRecordsPath(t *testing.T) {
 	IntegrationSkip(t)
 
diff --git a/integration/embedded_derp_test.go b/integration/embedded_derp_test.go
index 051b9261..cbca7505 100644
--- a/integration/embedded_derp_test.go
+++ b/integration/embedded_derp_test.go
@@ -16,6 +16,14 @@ type ClientsSpec struct {
 	WebsocketDERP int
 }
 
+// TestDERPServerScenario tests the functionality of the embedded DERP server with
+// plain connections.
+//
+// This test sets up a scenario with multiple users and their nodes, and an
+// embedded DERP server. It verifies that all clients can connect to the DERP
+// server and communicate with each other. It also checks that the clients are
+// not using WebSocket connections for DERP, as this is not expected in this
+// scenario.
 func TestDERPServerScenario(t *testing.T) {
 	spec := ScenarioSpec{
 		NodesPerUser: 1,
@@ -66,6 +74,14 @@ func TestDERPServerScenario(t *testing.T) {
 	})
 }
 
+// TestDERPServerWebsocketScenario tests the functionality of the embedded DERP
+// server with WebSocket connections.
+//
+// This test sets up a scenario with multiple users and their nodes, and an
+// embedded DERP server configured to use WebSockets. It verifies that all
+// clients can connect to the DERP server and communicate with each other. It
+// also checks that the clients are indeed using WebSocket connections for DERP,
+// as expected in this scenario.
 func TestDERPServerWebsocketScenario(t *testing.T) {
 	spec := ScenarioSpec{
 		NodesPerUser: 1,