policy: add App Connector support

[matanbaruch]

Implement App Connector functionality for Headscale, allowing nodes to advertise as app connectors and receive domain-based routing configuration from the control plane. This addresses issue #1651.

Changes

Core Implementation

• Add appConnectors field to Policy struct for defining app connector configurations in ACLs
• Parse app connector configuration including name, connectors (tags or "*"), domains (with wildcard support), and optional routes
• Add validation for app connector configuration (domains, tags, etc.)
• Add AppConnectorConfigForNode method to PolicyManager to get matching configurations for nodes advertising as app connectors
• Update mapper to add tailscale.com/app-connectors capability to CapMap in MapResponse for nodes advertising as app connectors

Tests

• Add comprehensive unit tests for app connector functionality (hscontrol/policy/v2/appconnector_test.go)
• Add integration tests (integration/appconnector_test.go):
  • TestAppConnectorBasic: Tests tagged nodes receive app connector configuration
  • TestAppConnectorNonMatchingTag: Tests non-matching tags are excluded
  • TestAppConnectorWildcardConnector: Tests wildcard connector matching

Documentation

• Add App Connectors section to docs/ref/acls.md with configuration examples
• Add App Connectors to feature list in docs/about/features.md
• Add CHANGELOG.md entry

Example ACL Configuration

{
  "tagOwners": {
    "tag:connector": ["user@example.com"]
  },
  "appConnectors": [
    {
      "name": "Internal Apps",
      "connectors": ["tag:connector"],
      "domains": ["internal.example.com", "*.corp.example.com"],
      "routes": ["10.0.0.0/8"]
    }
  ]
}

How It Works

1. Configure tagged nodes as app connectors in your ACL policy
2. Nodes with the specified tags that advertise themselves as app connectors (tailscale set --advertise-connector) will receive the domain configuration
3. When clients query DNS for the configured domains, traffic is automatically routed through the connector nodes

Closes #1651

• have read the CONTRIBUTING.md file
• raised a GitHub issue or discussed it on the projects chat beforehand
• added unit tests
• added integration tests
• updated documentation if needed
• updated CHANGELOG.md

[m3wt]

@matanbaruch, have you tested the functionality of this patch set?

After applying the patches, I tagged an app connector node, enabled the app connector in tailscaled, published a connector domain within my tailscale policy, however tailscale appc-routes on the app connector does not return any results.

[matanbaruch]

@matanbaruch, have you tested the functionality of this patch set?

After applying the patches, I tagged an app connector node, enabled the app connector in tailscaled, published a connector domain within my tailscale policy, however tailscale appc-routes on the app connector does not return any results.

Hey @m3wt, yes I've tested this locally and the app connector capability is working correctly.
Regarding tailscale appc-routes returning empty - that's expected at this stage. That command shows routes the app connector has discovered by resolving DNS queries. The capability is
delivered via the netmap (which you can verify with tailscale debug netmap), but actual route discovery only happens when a client on the tailnet queries one of the configured domains.
The headscale side (this PR) is responsible for delivering the configuration to the node - the route discovery itself is handled by the Tailscale client.

Make sure you're using a tagged pre-auth key (not a regular one) - the node must have tag:connector for the policy to match.

[matanbaruch]

@kradalby Is is possible to get this test running?

[matanbaruch]

@kradalby Re-run? :)

[matanbaruch]

@kradalby I think we are ready. Re-run :)

[kradalby]

Seems like it's hanging, you might need to close and reopen

[matanbaruch]

@kradalby Done #3121