From 56b88494e89a3f5feb5f7fd4fc8c115bbbf6e071 Mon Sep 17 00:00:00 2001
From: Xe Iaso <xe@tailscale.com>
Date: Fri, 23 Sep 2022 14:20:25 +0000
Subject: [PATCH 1/3] Add Nix flakes detritus so I can test this locally

Signed-off-by: Xe <me@christine.website>
---
 .envrc     |  1 +
 .gitignore |  2 ++
 flake.lock | 42 ++++++++++++++++++++++++++++++++++++++++++
 flake.nix  | 32 ++++++++++++++++++++++++++++++++
 4 files changed, 77 insertions(+)
 create mode 100644 .envrc
 create mode 100644 .gitignore
 create mode 100644 flake.lock
 create mode 100644 flake.nix

diff --git a/.envrc b/.envrc
new file mode 100644
index 0000000..3550a30
--- /dev/null
+++ b/.envrc
@@ -0,0 +1 @@
+use flake
diff --git a/.gitignore b/.gitignore
new file mode 100644
index 0000000..726d2d6
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1,2 @@
+result
+.direnv
diff --git a/flake.lock b/flake.lock
new file mode 100644
index 0000000..38b4909
--- /dev/null
+++ b/flake.lock
@@ -0,0 +1,42 @@
+{
+  "nodes": {
+    "nixpkgs": {
+      "locked": {
+        "lastModified": 1663850217,
+        "narHash": "sha256-tp9nXo1/IdN/xN9m06ryy0QUAEfoN6K56ObM/1QTAjc=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "ae1dc133ea5f1538d035af41e5ddbc2ebcb67b90",
+        "type": "github"
+      },
+      "original": {
+        "id": "nixpkgs",
+        "ref": "nixos-unstable",
+        "type": "indirect"
+      }
+    },
+    "root": {
+      "inputs": {
+        "nixpkgs": "nixpkgs",
+        "utils": "utils"
+      }
+    },
+    "utils": {
+      "locked": {
+        "lastModified": 1659877975,
+        "narHash": "sha256-zllb8aq3YO3h8B/U0/J1WBgAL8EX5yWf5pMj3G0NAmc=",
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "rev": "c0e246b9b83f637f4681389ecabcb2681b4f3af0",
+        "type": "github"
+      },
+      "original": {
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "type": "github"
+      }
+    }
+  },
+  "root": "root",
+  "version": 7
+}
diff --git a/flake.nix b/flake.nix
new file mode 100644
index 0000000..aca04cf
--- /dev/null
+++ b/flake.nix
@@ -0,0 +1,32 @@
+{
+  description = "A basic Go web server setup";
+
+  inputs = {
+    nixpkgs.url = "nixpkgs/nixos-unstable";
+    utils.url = "github:numtide/flake-utils";
+  };
+
+  outputs = { self, nixpkgs, utils }:
+    utils.lib.eachSystem [
+      "x86_64-linux"
+      "aarch64-linux"
+      "x86_64-darwin"
+      "aarch64-darwin"
+    ] (system:
+      let
+        pkgs =
+          import nixpkgs {
+            inherit system;
+            overlays = [
+              (final: prev: {
+                go = prev.go_1_19;
+                buildGoModule = prev.buildGo119Module;
+              })
+            ];
+          };
+      in {
+        devShells.default = pkgs.mkShell {
+          buildInputs = with pkgs; [ go gopls gotools go-tools ];
+        };
+      });
+}

From a98aa89fbbb7b32f455b26afcef00acd765607cc Mon Sep 17 00:00:00 2001
From: Xe Iaso <xe@tailscale.com>
Date: Fri, 23 Sep 2022 14:22:42 +0000
Subject: [PATCH 2/3] Allow tagged nodes to authenticate

Needs testing. A lot of testing.

Signed-off-by: Xe <me@christine.website>
---
 module.go | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/module.go b/module.go
index a22a4bf..5b62690 100644
--- a/module.go
+++ b/module.go
@@ -1,7 +1,6 @@
 package tscaddy
 
 import (
-	"fmt"
 	"log"
 	"net"
 	"net/http"
@@ -146,7 +145,8 @@ func (ta TailscaleAuth) Authenticate(w http.ResponseWriter, r *http.Request) (ca
 	}
 
 	if len(info.Node.Tags) != 0 {
-		return user, false, fmt.Errorf("node %s has tags", info.Node.Hostinfo.Hostname())
+		info.UserProfile.LoginName = strings.Replace(info.Node.Tags[0], ":", "___", -1) + "@tags.in.your.tailnet"
+		info.UserProfile.DisplayName = "A tagged node with tags: " + strings.Join(info.Node.Tags, ", ")
 	}
 
 	var tailnet string

From c2ec60630d3d30631921423da1492fb2c658adb2 Mon Sep 17 00:00:00 2001
From: Christine Dodrill <xe@tailscale.com>
Date: Thu, 27 Oct 2022 16:25:25 +0000
Subject: [PATCH 3/3] Add caddyfile parsing for allowing tagged nodes

Signed-off-by: Christine Dodrill <xe@tailscale.com>
---
 module.go | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/module.go b/module.go
index 5b62690..772adab 100644
--- a/module.go
+++ b/module.go
@@ -1,6 +1,7 @@
 package tscaddy
 
 import (
+	"fmt"
 	"log"
 	"net"
 	"net/http"
@@ -89,6 +90,8 @@ func getListener(_, addr string) (net.Listener, error) {
 
 type TailscaleAuth struct {
 	localclient *tailscale.LocalClient
+
+	AllowTaggedNodes bool `json:"allow_tagged_nodes"`
 }
 
 func (TailscaleAuth) CaddyModule() caddy.ModuleInfo {
@@ -144,9 +147,11 @@ func (ta TailscaleAuth) Authenticate(w http.ResponseWriter, r *http.Request) (ca
 		return user, false, err
 	}
 
-	if len(info.Node.Tags) != 0 {
+	if ta.AllowTaggedNodes && len(info.Node.Tags) != 0 {
 		info.UserProfile.LoginName = strings.Replace(info.Node.Tags[0], ":", "___", -1) + "@tags.in.your.tailnet"
 		info.UserProfile.DisplayName = "A tagged node with tags: " + strings.Join(info.Node.Tags, ", ")
+	} else {
+		return user, false, fmt.Errorf("node %s has tags", info.Node.Hostinfo.Hostname())
 	}
 
 	var tailnet string