From 9ab22c99c9e1cb416682efe47e41c3aac0ea46c0 Mon Sep 17 00:00:00 2001
From: bdeshi <bdeshi@bdeshi.space>
Date: Wed, 24 Aug 2022 02:03:13 +0600
Subject: [PATCH] fix cidr validation & suport exit node setting

---
 files/acl.hujson.tftpl    |  2 +-
 files/relay-init.sh.tftpl |  2 +-
 tailscale-server.tf       |  1 +
 variables.tf              | 12 +++++++++---
 4 files changed, 12 insertions(+), 5 deletions(-)

diff --git a/files/acl.hujson.tftpl b/files/acl.hujson.tftpl
index f4ad7dd..55a07f6 100644
--- a/files/acl.hujson.tftpl
+++ b/files/acl.hujson.tftpl
@@ -11,7 +11,7 @@
     "autoApprovers": {
         "routes": {
             %{~ for route in routes ~}
-            "${route}": ["group:admin", "${tag}"],
+            "${route}": ["${tag}"],
             %{~ endfor ~}
         },
         "exitNode": ["${tag}"]
diff --git a/files/relay-init.sh.tftpl b/files/relay-init.sh.tftpl
index 5446127..0cf48ba 100644
--- a/files/relay-init.sh.tftpl
+++ b/files/relay-init.sh.tftpl
@@ -3,4 +3,4 @@ echo 'net.ipv4.ip_forward = 1' >> /etc/sysctl.conf
 echo 'net.ipv6.conf.all.forwarding = 1' >> /etc/sysctl.conf
 sysctl -p /etc/sysctl.conf
 curl -fsSL https://gist.githubusercontent.com/bdeshi/ba8fed1b5d357320d0314e8380c58454/raw/4978c0b60443e448607b59bc67c09f1dbbac9a56/tailscale-install.sh | sh
-tailscale up %{ if length(routes) > 0 } --advertise-routes "${join(",", routes)}" %{ endif } --authkey "${auth_key}" --accept-dns=false
+tailscale up %{ if length(routes) > 0 } --advertise-routes "${join(",", routes)}" %{ endif } %{ if exit_node } --advertise-exit-node %{ endif } --authkey "${auth_key}" --accept-dns=false
diff --git a/tailscale-server.tf b/tailscale-server.tf
index 0a70a1f..311e661 100644
--- a/tailscale-server.tf
+++ b/tailscale-server.tf
@@ -19,6 +19,7 @@ resource "aws_instance" "tailscale" {
   user_data = templatefile("${path.module}/files/relay-init.sh.tftpl", {
     routes   = local.tailscale_routes
     auth_key = tailscale_tailnet_key.relay_auth.key
+    exit_node = var.advertise_exit_node
   })
   tags = {
     Name = "tailscale"
diff --git a/variables.tf b/variables.tf
index 2ad6a88..fcb72ff 100644
--- a/variables.tf
+++ b/variables.tf
@@ -66,9 +66,9 @@ variable "additional_routes" {
   default     = []
   description = "The routes in addition to selected VPC's routes, to add to the tailscale network."
   validation {
-    condition = length(var.additional_routes) == 0 ? true : alltrue([
+    condition = alltrue([
       for route in var.additional_routes :
-      regex("^\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}/\\d{1,2}$", route)
+      can(regex("^\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}/\\d{1,2}$", route))
     ])
     error_message = "routes must be in CIDR format."
   }
@@ -93,9 +93,15 @@ variable "advertise_routes" {
   description = "Whether to advertise the tailscale server's subnet routes to clients."
 }
 
-variable "enable_tailscale_ssh" {
+variable "advertise_exit_node" {
   type        = bool
   default     = true
+  description = "Whether to advertise the tailscale server as an exit node."
+}
+
+variable "enable_tailscale_ssh" {
+  type        = bool
+  default     = false
   description = "Whether to enable ssh-over-tailscale for tailscale network nodes."
 }