init

files/acl.hujson.tftpl

@@ -0,0 +1,29 @@
+{
+    "groups": {
+        "group:admin": [ %{~ for admin in admins ~} "${admin}@${domain}", %{~ endfor ~} ]
+    },
+    "acls": [
+        { "action": "accept", "users": ["*"], "ports": ["*:*"] }
+    ],
+    "tagOwners": {
+        "${tag}": ["group:admin", "${tag}"]
+    },
+    "autoApprovers": {
+        "routes": {
+            %{~ for route in routes ~}
+            "${route}": ["group:admin", "${tag}"],
+            %{~ endfor ~}
+        },
+        "exitNode": ["${tag}"]
+    },
+    %{~ if enable_ssh ~}
+    "ssh": [
+        {
+            "action": "check",
+            "src": ["autogroup:members"],
+            "dst": ["autogroup:self"],
+            "users": ["autogroup:nonroot", "root"]
+        }
+    ]
+    %{~ endif ~}
+}

files/relay-init.sh.tftpl

@@ -0,0 +1,6 @@
+#!/bin/bash
+echo 'net.ipv4.ip_forward = 1' >> /etc/sysctl.conf
+echo 'net.ipv6.conf.all.forwarding = 1' >> /etc/sysctl.conf
+sysctl -p /etc/sysctl.conf
+curl -fsSL https://gist.githubusercontent.com/bdeshi/ba8fed1b5d357320d0314e8380c58454/raw/4978c0b60443e448607b59bc67c09f1dbbac9a56/tailscale-install.sh | sh
+tailscale up %{ if length(routes) > 0 } --advertise-routes "${join(",", routes)}" %{ endif } --authkey "${auth_key}" --accept-dns=false