Policy: autogroup support

[kradalby]

This is tracking issue for autogroup support in the headscale Policy, it supersedes #657.

From the Tailscale docs:

An autogroup is a special group that automatically includes users, destinations, or usernames with the same properties.

Headscale aims to implement a subset of the Tailscale autogroups, currently supported autogroups are checked:

• autogroup:self
• autogroup:internet
• autogroup:member (as of feat: add autogroup:member, autogroup:tagged #2572)
• autogroup:tagged (as of feat: add autogroup:member, autogroup:tagged #2572)
• autogroup:nonroot

autogroup:self is a bit more complicated, the goal would be to get it in as part of this release cycle, but it needs some more thinking as it cannot be resolved as part of the policy and a list of nodes. It needs the information about the self (node or user) as well.

Some autogroups are more complicated, and we dont consider them essential for now, which means we might do them later:

• user:*@<domain>
• localpart:*@<domain>

Not relevant as these describe roles in Tailscale, which does not exist in headscale:

• autogroup:owner
• autogroup:admin
• autogroup:auditor
• autogroup:billing-admin
• autogroup:it-admin
• autogroup:network-admin

Not relevant as headscale only has one tailnet:

• autogroup:shared