Add feature flag for SSH, and warning

Signed-off-by: Kristoffer Dalby <[email protected]>
beclab · Nov 26, 2022 · c6d3174 · c6d3174
1 parent 91ed6e2
commit c6d3174
Showing 1 changed file with 15 additions and 8 deletions.
diff --git a/acls.go b/acls.go
@@ -15,6 +15,7 @@ import (
 	"github.com/rs/zerolog/log"
 	"github.com/tailscale/hujson"
 	"gopkg.in/yaml.v3"
+	"tailscale.com/envknob"
 	"tailscale.com/tailcfg"
 )
 
@@ -55,6 +56,8 @@ const (
 	ProtocolFC       = 133 // Fibre Channel
 )
 
+var featureEnableSSH = envknob.RegisterBool("HEADSCALE_FEATURE_SSH")
+
 // LoadACLPolicy loads the ACL policy from the specify path, and generates the ACL rules.
 func (h *Headscale) LoadACLPolicy(path string) error {
 	log.Debug().
@@ -121,15 +124,19 @@ func (h *Headscale) UpdateACLRules() error {
 	log.Trace().Interface("ACL", rules).Msg("ACL rules generated")
 	h.aclRules = rules
 
-	sshRules, err := h.generateSSHRules()
-	if err != nil {
-		return err
-	}
-	log.Trace().Interface("SSH", sshRules).Msg("SSH rules generated")
-	if h.sshPolicy == nil {
-		h.sshPolicy = &tailcfg.SSHPolicy{}
+	if featureEnableSSH() {
+		sshRules, err := h.generateSSHRules()
+		if err != nil {
+			return err
+		}
+		log.Trace().Interface("SSH", sshRules).Msg("SSH rules generated")
+		if h.sshPolicy == nil {
+			h.sshPolicy = &tailcfg.SSHPolicy{}
+		}
+		h.sshPolicy.Rules = sshRules
+	} else if h.aclPolicy != nil && len(h.aclPolicy.SSHs) > 0 {
+		log.Info().Msg("SSH ACLs has been defined, but HEADSCALE_FEATURE_SSH is not enabled, this is a unstable feature, check docs before activating")
 	}
-	h.sshPolicy.Rules = sshRules
 
 	return nil
 }