From fa0e83ab4f890120f957b34c82f3ff32fb979664 Mon Sep 17 00:00:00 2001
From: Mohammed Naser <mnaser@vexxhost.com>
Date: Sat, 23 Aug 2025 05:00:09 -0400
Subject: [PATCH] tsnet: add Server.AdvertiseTags option (#15840)

Updates #8531

Change-Id: I9b6653872c66929e692bd592ef3f438430c657b5
Signed-off-by: Valentin Alekseev <valentin.alekseev@gmail.com>
Co-authored-by: Valentin Alekseev <valentin.alekseev@gmail.com>
---
 tsnet/tsnet.go | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/tsnet/tsnet.go b/tsnet/tsnet.go
index 06709bf8b..8f2f7bdcd 100644
--- a/tsnet/tsnet.go
+++ b/tsnet/tsnet.go
@@ -124,6 +124,13 @@ type Server struct {
 	// field at zero unless you know what you are doing.
 	Port uint16
 
+	// AdvertiseTags specifies groups that this embedded server wants to join, for
+	// purposes of ACL enforcement. These can be referenced from the ACL
+	// security policy. Note that advertising a tag doesn't guarantee that
+	// the control server will allow you to take on the rights for that
+	// tag.
+	AdvertiseTags []string
+
 	getCertForTesting func(*tls.ClientHelloInfo) (*tls.Certificate, error)
 
 	initOnce         sync.Once
@@ -662,6 +669,7 @@ func (s *Server) start() (reterr error) {
 	prefs.WantRunning = true
 	prefs.ControlURL = s.ControlURL
 	prefs.RunWebClient = s.RunWebClient
+	prefs.AdvertiseTags = s.AdvertiseTags
 	authKey := s.getAuthKey()
 	err = lb.Start(ipn.Options{
 		UpdatePrefs: prefs,