fix: add ssh rules to default acl policy

internal/domain/acl.go

@@ -66,18 +66,6 @@ type Grant struct {
 	App tailcfg.PeerCapMap       `json:"app"`
 }
 
-func DefaultACLPolicy() ACLPolicy {
-	return ACLPolicy{
-		ACLs: []ACL{
-			{
-				Action: "accept",
-				Src:    []string{"*"},
-				Dst:    []string{"*:*"},
-			},
-		},
-	}
-}
-
 func (a ACLPolicy) FindAutoApprovedIPs(routableIPs []netip.Prefix, tags []string, u *User) []netip.Prefix {
 	if a.AutoApprovers == nil || len(routableIPs) == 0 {
 		return nil

internal/domain/iam.go

@@ -11,10 +11,6 @@ import (
 	"gorm.io/gorm/schema"
 )
 
-func DefaultIAMPolicy() IAMPolicy {
-	return IAMPolicy{}
-}
-
 type Identity struct {
 	UserID   string
 	Username string

internal/service/tailnet.go

@@ -8,6 +8,7 @@ import (
 	"github.com/jsiebens/ionscale/internal/domain"
 	"github.com/jsiebens/ionscale/internal/mapping"
 	"github.com/jsiebens/ionscale/internal/util"
+	"github.com/jsiebens/ionscale/pkg/defaults"
 	api "github.com/jsiebens/ionscale/pkg/gen/ionscale/v1"
 	"tailscale.com/tailcfg"
 )
@@ -42,6 +43,18 @@ func (s *Service) CreateTailnet(ctx context.Context, req *connect.Request[api.Cr
 		return nil, connect.NewError(connect.CodePermissionDenied, fmt.Errorf("permission denied"))
 	}
 
+	if req.Msg.IamPolicy == nil {
+		req.Msg.IamPolicy = defaults.DefaultIAMPolicy()
+	}
+
+	if req.Msg.AclPolicy == nil {
+		req.Msg.AclPolicy = defaults.DefaultACLPolicy()
+	}
+
+	if req.Msg.DnsConfig == nil {
+		req.Msg.DnsConfig = defaults.DefaultDNSConfig()
+	}
+
 	tailnet := &domain.Tailnet{
 		ID:                          util.NextID(),
 		Name:                        req.Msg.Name,
@@ -54,24 +67,16 @@ func (s *Service) CreateTailnet(ctx context.Context, req *connect.Request[api.Cr
 		MachineAuthorizationEnabled: req.Msg.MachineAuthorizationEnabled,
 	}
 
-	if req.Msg.IamPolicy != nil {
+	if err := validateIamPolicy(req.Msg.IamPolicy); err != nil {
-		if err := validateIamPolicy(req.Msg.IamPolicy); err != nil {
+		return nil, connect.NewError(connect.CodeInvalidArgument, fmt.Errorf("invalid iam policy: %w", err))
-			return nil, connect.NewError(connect.CodeInvalidArgument, fmt.Errorf("invalid iam policy: %w", err))
-		}
-
-		if err := mapping.CopyViaJson(req.Msg.IamPolicy, &tailnet.IAMPolicy); err != nil {
-			return nil, logError(err)
-		}
-	} else {
-		tailnet.IAMPolicy = domain.DefaultIAMPolicy()
 	}
 
-	if req.Msg.AclPolicy != nil {
+	if err := mapping.CopyViaJson(req.Msg.IamPolicy, &tailnet.IAMPolicy); err != nil {
-		if err := mapping.CopyViaJson(req.Msg.AclPolicy, &tailnet.ACLPolicy); err != nil {
+		return nil, logError(err)
-			return nil, logError(err)
+	}
-		}
+
-	} else {
+	if err := mapping.CopyViaJson(req.Msg.AclPolicy, &tailnet.ACLPolicy); err != nil {
-		tailnet.ACLPolicy = domain.DefaultACLPolicy()
+		return nil, logError(err)
 	}
 
 	if err := s.repository.SaveTailnet(ctx, tailnet); err != nil {

pkg/defaults/defaults.go

@@ -11,9 +11,21 @@ func DefaultACLPolicy() *ionscalev1.ACLPolicy {
 				Dst:    []string{"*:*"},
 			},
 		},
+		Ssh: []*ionscalev1.SSHRule{
+			{
+				Action: "check",
+				Src:    []string{"autogroup:member"},
+				Dst:    []string{"autogroup:self"},
+				Users:  []string{"autogroup:nonroot", "root"},
+			},
+		},
 	}
 }
 
+func DefaultIAMPolicy() *ionscalev1.IAMPolicy {
+	return &ionscalev1.IAMPolicy{}
+}
+
 func DefaultDNSConfig() *ionscalev1.DNSConfig {
 	return &ionscalev1.DNSConfig{
 		MagicDns: true,