Change options default value and name to align with stock Tailscale's platform-specific behavior - config is automatically updated!!!

[lmagyar]

Proposed Changes

Default disabled:

• accept_routes
• advertise_exit_node
• advertise_connector
• advertise_routes
• taildrop
• userspace_networking

Renamed:

• tags -> advertise_tags (config is automatically updated, not a breaking change)

General considerations to merge this several months after #541:

• before making all the options mandatory and filling in the previous default values (Make all config options mandatory #541), these changes in Change options default value and name to align with stock Tailscale's platform-specific behavior - config is automatically updated!!! #585 would break any installation where users use the default settings (empty yaml fields)
• ie. if somebody updates the add-on from an old version to a latest, where both Make all config options mandatory #541 and Change options default value and name to align with stock Tailscale's platform-specific behavior - config is automatically updated!!! #585 is already published, the add-on behaviour will change (the missing options will be filled out with the changed defaults by SU, and this is done before the add-on starts, so we can't do anything about this)
• users who update regularly will see Make all config options mandatory #541 fills in their empty options with the original default values, without functional change, then in a later update Change options default value and name to align with stock Tailscale's platform-specific behavior - config is automatically updated!!! #585 has effect only on the new installations

Related Issues

closes #604
coderabbitai in this comment/review

Summary by CodeRabbit

• Configuration Changes

  • Several networking features now default to disabled: accept_routes, advertise_connector, advertise_exit_node, taildrop, and userspace_networking.
  • advertise_routes now defaults to empty; advertising subnets requires explicit enablement.
  • Added advertise_tags (ACL tag syntax requires the tag: prefix). The legacy tags option is removed and is replaced by advertise_tags.

• Documentation

  • Updated guidance to match disabled-by-default behavior, including explicit admin-console steps to enable exit node and subnet route advertising.
  • Refreshed option descriptions and tag configuration instructions for the new defaults.

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

Walkthrough

Default Tailscale configuration options changed from enabled to disabled (accept_routes, advertise_connector, advertise_exit_node, taildrop, userspace_networking); tags option renamed to advertise_tags with schema validation; documentation and translations updated to reflect new defaults and explicit admin-console enablement steps; startup and migration scripts updated to handle the new option name and provide backward-compatible migration for legacy tags configurations.

Changes

Configuration and Documentation Update

Layer / File(s)	Summary
Configuration defaults and schema tailscale/config.yaml	Options accept_routes, advertise_connector, advertise_exit_node, taildrop, userspace_networking now default to false; advertise_routes emptied to []; new advertise_tags option added with schema pattern validation; legacy tags option and schema matcher removed.
Documentation updates tailscale/DOCS.md, tailscale/translations/en.yaml	Early narrative stating default exit node/subnet route exposure removed; all option descriptions rewritten to reflect disabled-by-default semantics; explicit admin-console enablement steps added for exit nodes and subnet routes; new advertise_tags section introduced with tag: prefix constraint; translations updated to match documentation changes.
Runtime startup script tailscale/rootfs/etc/s6-overlay/s6-rc.d/post-tailscaled/run	Script variable renamed from tags to advertise_tags; configuration retrieval updated to read and pass advertise_tags via --advertise-tags option.
Legacy configuration migration tailscale/rootfs/etc/s6-overlay/scripts/stage2_hook.sh	New migration logic detects legacy .tags option, validates and renames to advertise_tags using try/error mechanism; logs warnings for invalid values; removes original tags key after processing to support backward compatibility.

Sequence Diagram(s)

(Skipped — changes focus on configuration defaults, documentation rewrites, and synchronous startup/migration script updates; no multi-component sequential interactions requiring visualization.)

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Possibly related PRs

• hassio-addons/app-tailscale#541: Overlapping changes to configuration keys and defaults including advertise_routes/advertise_exit_node and tags → advertise_tags migration patterns.
• hassio-addons/app-tailscale#616: Related handling of userspace_networking and DNS/MagicDNS defaults with similar disabled-by-default semantics.

Suggested labels

bugfix

Suggested reviewers

• frenck

Poem

🐇 I've tidied the defaults, once bold and bright,
Now tags slip to advertise_tags with delight,
Exit nodes and subnets rest until you say,
Admin console unlocks them, come what may,
A quiet hop through config—set things right.

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly summarizes the main change: updating default values and renaming configuration options to align with stock Tailscale's behavior, with automatic config migration.
Linked Issues check	✅ Passed	The PR directly addresses issue #604 by changing default values for advertise_exit_node, advertise_connector, and advertise_routes to false, ensuring the add-on does not advertise itself as exit node or advertise subnets by default.
Out of Scope Changes check	✅ Passed	All changes are directly related to the linked issue: updating default values, renaming tags to advertise_tags, adding config migration, and updating documentation. No unrelated modifications are present.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands.}

[github-actions]

There hasn't been any activity on this pull request recently. This pull request has been automatically marked as stale because of that and will be closed if no further activity occurs within 7 days. Thank you for your contributions.

[lmagyar]

@coderabbitai review

[coderabbitai]

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (1)

tailscale/rootfs/etc/s6-overlay/scripts/stage2_hook.sh (1)

74-82: Consider combining the duplicate conditions.

Both forwarding and mss-clamping services are disabled under the same condition (userspace_networking is true). These could be combined into a single conditional block for clarity.

🔎 Suggested refactor

 # Disable forwarding service when userspace-networking is enabled
-if bashio::config.true "userspace_networking"; then
+# Disable mss-clamping service when userspace-networking is enabled
+if bashio::config.true "userspace_networking"; then
     rm /etc/s6-overlay/s6-rc.d/user/contents.d/forwarding
-fi
-
-# Disable mss-clamping service when userspace-networking is enabled
-if bashio::config.true "userspace_networking"; then
     rm /etc/s6-overlay/s6-rc.d/user/contents.d/mss-clamping
 fi

📜 Review details

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between d0b5383 and 173e4ac.

📒 Files selected for processing (8)

• tailscale/DOCS.md
• tailscale/config.yaml
• tailscale/rootfs/etc/s6-overlay/s6-rc.d/post-tailscaled/run
• tailscale/rootfs/etc/s6-overlay/s6-rc.d/share-homeassistant/run
• tailscale/rootfs/etc/s6-overlay/s6-rc.d/tailscaled/run
• tailscale/rootfs/etc/s6-overlay/scripts/stage2_hook.sh
• tailscale/rootfs/usr/bin/subnet-routes
• tailscale/translations/en.yaml

🧰 Additional context used

🧠 Learnings (10)

📓 Common learnings

Learnt from: lmagyar
Repo: hassio-addons/addon-tailscale PR: 541
File: tailscale/config.yaml:30-37
Timestamp: 2025-09-16T23:47:20.987Z
Learning: In the hassio-addons/addon-tailscale project, the advertise_routes configuration uses `local_subnets` (with underscore) as the default value, and the runtime regex patterns use `local.subnets` (with dot) which correctly matches the underscore variant because '.' in regex matches any single character including '_'.

Learnt from: lmagyar
Repo: hassio-addons/addon-tailscale PR: 541
File: tailscale/config.yaml:29-30
Timestamp: 2025-11-23T00:06:06.013Z
Learning: In the Home Assistant Tailscale add-on (hassio-addons/addon-tailscale), userspace_networking defaults to true because TUN networking can cause problems and is not needed for basic Home Assistant accessibility. This is an intentional deviation from stock Tailscale's default kernel/TUN networking.

Learnt from: lmagyar
Repo: hassio-addons/addon-tailscale PR: 562
File: tailscale/rootfs/etc/s6-overlay/s6-rc.d/post-tailscaled/run:120-128
Timestamp: 2025-10-29T20:47:02.818Z
Learning: In the hassio-addons/addon-tailscale project, when checking for IPv6 addresses in bash scripts, use the regex format `if [[ "${variable}" =~ .*:.* ]]; then` for consistency with other IPv6 tests in the codebase.

Learnt from: lmagyar
Repo: hassio-addons/addon-tailscale PR: 566
File: tailscale/rootfs/usr/bin/subnet-routes:1-2
Timestamp: 2025-11-06T10:55:55.062Z
Learning: In the hassio-addons/addon-tailscale project, utility scripts in `/usr/bin/` (like `subnet-routes`, `protect-subnet-routes`, `unprotect-subnet-routes`) are invoked from s6-overlay service scripts or NetworkManager dispatchers that already use `#!/command/with-contenv bashio`. These utilities inherit the environment from their parent processes and therefore use `#!/usr/bin/env bashio` rather than `#!/command/with-contenv bashio`.

📚 Learning: 2025-11-23T00:06:06.013Z

Learnt from: lmagyar
Repo: hassio-addons/addon-tailscale PR: 541
File: tailscale/config.yaml:29-30
Timestamp: 2025-11-23T00:06:06.013Z
Learning: In the Home Assistant Tailscale add-on (hassio-addons/addon-tailscale), userspace_networking defaults to true because TUN networking can cause problems and is not needed for basic Home Assistant accessibility. This is an intentional deviation from stock Tailscale's default kernel/TUN networking.

Applied to files:

• tailscale/rootfs/etc/s6-overlay/s6-rc.d/tailscaled/run
• tailscale/DOCS.md
• tailscale/config.yaml
• tailscale/rootfs/etc/s6-overlay/s6-rc.d/post-tailscaled/run
• tailscale/translations/en.yaml
• tailscale/rootfs/etc/s6-overlay/scripts/stage2_hook.sh

📚 Learning: 2024-11-15T17:38:56.576Z

Learnt from: lmagyar
Repo: hassio-addons/addon-tailscale PR: 419
File: tailscale/rootfs/command/with-contenv-merge:8-12
Timestamp: 2024-11-15T17:38:56.576Z
Learning: The script `with-contenv-merge` in `tailscale/rootfs/command/` is directly copied from s6 and should not be modified.

Applied to files:

• tailscale/rootfs/etc/s6-overlay/s6-rc.d/tailscaled/run
• tailscale/rootfs/etc/s6-overlay/s6-rc.d/post-tailscaled/run
• tailscale/rootfs/etc/s6-overlay/s6-rc.d/share-homeassistant/run
• tailscale/rootfs/etc/s6-overlay/scripts/stage2_hook.sh
• tailscale/rootfs/usr/bin/subnet-routes

📚 Learning: 2025-11-06T10:55:55.062Z

Learnt from: lmagyar
Repo: hassio-addons/addon-tailscale PR: 566
File: tailscale/rootfs/usr/bin/subnet-routes:1-2
Timestamp: 2025-11-06T10:55:55.062Z
Learning: In the hassio-addons/addon-tailscale project, utility scripts in `/usr/bin/` (like `subnet-routes`, `protect-subnet-routes`, `unprotect-subnet-routes`) are invoked from s6-overlay service scripts or NetworkManager dispatchers that already use `#!/command/with-contenv bashio`. These utilities inherit the environment from their parent processes and therefore use `#!/usr/bin/env bashio` rather than `#!/command/with-contenv bashio`.

Applied to files:

• tailscale/rootfs/etc/s6-overlay/s6-rc.d/tailscaled/run
• tailscale/rootfs/etc/s6-overlay/s6-rc.d/post-tailscaled/run
• tailscale/rootfs/etc/s6-overlay/s6-rc.d/share-homeassistant/run
• tailscale/rootfs/etc/s6-overlay/scripts/stage2_hook.sh
• tailscale/rootfs/usr/bin/subnet-routes

📚 Learning: 2024-10-09T10:32:14.110Z

Learnt from: mikz
Repo: hassio-addons/addon-tailscale PR: 407
File: tailscale/rootfs/etc/s6-overlay/s6-rc.d/init-nginx/run:24-29
Timestamp: 2024-10-09T10:32:14.110Z
Learning: In the Tailscale add-on for Home Assistant, the `tailscale/rootfs` directory is copied into the container's root directory via the Dockerfile, ensuring that files like `/etc/nginx/templates/homeassistant.gtpl` are present at runtime.

Applied to files:

• tailscale/DOCS.md
• tailscale/rootfs/etc/s6-overlay/s6-rc.d/share-homeassistant/run

📚 Learning: 2025-09-16T23:47:20.987Z

Learnt from: lmagyar
Repo: hassio-addons/addon-tailscale PR: 541
File: tailscale/config.yaml:30-37
Timestamp: 2025-09-16T23:47:20.987Z
Learning: In the hassio-addons/addon-tailscale project, the advertise_routes configuration uses `local_subnets` (with underscore) as the default value, and the runtime regex patterns use `local.subnets` (with dot) which correctly matches the underscore variant because '.' in regex matches any single character including '_'.

Applied to files:

• tailscale/DOCS.md
• tailscale/translations/en.yaml
• tailscale/rootfs/usr/bin/subnet-routes

📚 Learning: 2025-07-28T00:02:02.296Z

Learnt from: lmagyar
Repo: hassio-addons/addon-tailscale PR: 445
File: tailscale/rootfs/etc/s6-overlay/scripts/stage2_hook.sh:24-38
Timestamp: 2025-07-28T00:02:02.296Z
Learning: In Home Assistant add-ons, mandatory configuration options are automatically filled with default values by the supervisor, so there's no need to guard against overwriting user-configured values during migration since the option will always have a value.

Applied to files:

• tailscale/DOCS.md

📚 Learning: 2025-09-17T23:53:19.467Z

Learnt from: lmagyar
Repo: hassio-addons/addon-tailscale PR: 509
File: tailscale/config.yaml:0-0
Timestamp: 2025-09-17T23:53:19.467Z
Learning: In the Tailscale add-on config.yaml, there is an intentional naming mismatch between map entries and schema field names: map entries use actual Home Assistant directory names (like `homeassistant_config`, `all_addon_configs`) while schema fields use user-friendly names (like `config`, `addon_configs`). This allows correct directory mapping while presenting cleaner option names in the UI.

Applied to files:

• tailscale/DOCS.md
• tailscale/config.yaml

📚 Learning: 2025-06-11T20:37:01.152Z

Learnt from: lmagyar
Repo: hassio-addons/addon-tailscale PR: 455
File: tailscale/rootfs/usr/bin/magicdns-ingress-proxy-forwarding:100-106
Timestamp: 2025-06-11T20:37:01.152Z
Learning: In the Home Assistant Tailscale add-on, DNATing DNS packets to port 0 (e.g. `--to-destination 127.0.0.1:0`) is an intentional technique to drop traffic. iptables accepts port 0, rewrites the destination port to 0, and the packet is rejected by the stack, effectively discarding it. This is valid and should not be flagged as an error in future reviews.

Applied to files:

• tailscale/DOCS.md

📚 Learning: 2025-10-29T20:47:02.818Z

Learnt from: lmagyar
Repo: hassio-addons/addon-tailscale PR: 562
File: tailscale/rootfs/etc/s6-overlay/s6-rc.d/post-tailscaled/run:120-128
Timestamp: 2025-10-29T20:47:02.818Z
Learning: In the hassio-addons/addon-tailscale project, when checking for IPv6 addresses in bash scripts, use the regex format `if [[ "${variable}" =~ .*:.* ]]; then` for consistency with other IPv6 tests in the codebase.

Applied to files:

• tailscale/rootfs/etc/s6-overlay/scripts/stage2_hook.sh
• tailscale/rootfs/usr/bin/subnet-routes

🔇 Additional comments (23)

tailscale/config.yaml (2)

28-43: LGTM! Well-structured default configuration.

The explicit defaults align with the PR objective of making accept_routes default to false. The mandatory options with sensible defaults improve configuration clarity and align with the shift away from implicit behavior.

---

44-61: LGTM! Schema correctly enforces mandatory configuration.

The transition from optional (bool?) to required (bool) types ensures all configuration options are explicitly set. The regex patterns correctly validate the allowed values.

tailscale/rootfs/etc/s6-overlay/s6-rc.d/share-homeassistant/run (1)

72-72: LGTM! Simplified port handling aligns with mandatory configuration.

With share_on_port now a required field with a default value of 443 in config.yaml, the fallback logic is correctly removed. The configuration system guarantees a value will always be present.

tailscale/rootfs/etc/s6-overlay/s6-rc.d/tailscaled/run (1)

26-29: LGTM! Explicit true check aligns with mandatory configuration.

The change from a negated check to bashio::config.true is correct. Since userspace_networking is now mandatory with a default of true in config.yaml, this explicit check properly enables userspace networking mode. Based on learnings, this intentional deviation from stock Tailscale's default kernel/TUN networking is appropriate for Home Assistant accessibility.

tailscale/translations/en.yaml (1)

1-108: LGTM! Translation descriptions accurately reflect new defaults.

The updated descriptions consistently communicate the new mandatory configuration behavior. The accept_routes description correctly states "disabled by default" which is the primary objective of this PR. All other option descriptions align with their respective defaults in config.yaml.

tailscale/DOCS.md (3)

43-64: LGTM! Clear configuration guidance with updated defaults.

The documentation correctly explains the new default behavior and provides step-by-step instructions for enabling features in the Tailscale admin console. The reference to the Machines page improves discoverability.

---

66-87: LGTM! Sample configuration matches new defaults.

The example YAML correctly shows accept_routes: false and includes local_subnets in advertise_routes, aligning with the new configuration schema in config.yaml.

---

107-114: LGTM! Documentation accurately describes accept_routes default.

The accept_routes section correctly states "This option is disabled by default", which is the primary objective of this PR to align with stock Tailscale's platform-specific behavior.

tailscale/rootfs/usr/bin/subnet-routes (2)

27-41: LGTM! Clean handling of local_subnets configuration.

The logic correctly:

1. Uses exact regex match (^local_subnets$) to identify the special value
2. Recursively calls subnet-routes local to collect local subnets
3. Warns if no local subnets are found (helpful for troubleshooting)
4. Appends other configured addresses directly

The recursive call is safe since it only occurs when $1 == "advertised" and the recursive call uses local.

---

50-73: LGTM! Route extraction and deduplication logic is sound.

The route extraction correctly:

• Skips link-local addresses (fe80:: and 169.254.x.x)
• Checks forwarding is enabled for the address family before including routes
• Uses ipcalc to compute network/prefix from addresses
• Deduplicates routes using sort -u

tailscale/rootfs/etc/s6-overlay/scripts/stage2_hook.sh (3)

61-66: LGTM! Correct logic for disabling protect-subnets service.

The condition properly disables protect-subnets when:

1. Userspace networking is enabled (no TUN interface to protect)
2. OR accepting routes is disabled (no external routes to protect against)

This aligns with the PR's change to make accept_routes default to false.

---

68-72: LGTM! Conditional local-network dependency based on local_subnets configuration.

The grep pattern correctly checks if local_subnets is explicitly configured in advertise_routes. When not configured, there's no need to wait for the local network to collect subnet information.

---

89-92: LGTM! Explicit check for 'disabled' value.

The change from checking absence to explicitly checking for 'disabled' aligns with the mandatory configuration approach. Since share_homeassistant now defaults to 'disabled' in config.yaml, this condition will correctly disable the service by default.

tailscale/rootfs/etc/s6-overlay/s6-rc.d/post-tailscaled/run (10)

19-24: LGTM!

The explicit boolean check pattern for accept_dns is correct and consistent with the PR's goal of requiring explicit configuration values.

---

26-31: LGTM — aligns with stock Tailscale behavior.

This is the core change of the PR. The accept_routes option now defaults to disabled and only enables when explicitly set to true, matching Tailscale's platform-specific default behavior.

---

34-45: LGTM!

The error check and explicit boolean handling for advertise_exit_node are correct. The mutual exclusivity check between advertising and using an exit node is properly placed.

---

57-62: LGTM!

Consistent explicit boolean handling pattern for advertise_connector.

---

68-73: LGTM!

Consistent explicit boolean handling pattern for stateful_filtering.

---

75-80: LGTM!

Consistent explicit boolean handling pattern for snat_subnet_routes.

---

146-167: LGTM!

The colliding routes warning condition correctly uses bashio::config.true "accept_routes", consistent with the updated accept_routes handling. The warning only triggers when accept_routes is explicitly enabled.

---

169-178: LGTM!

The userspace networking notice correctly triggers when userspace_networking is explicitly true. Based on learnings, this defaults to true in this add-on (intentional deviation from stock Tailscale), so users will be appropriately informed about the mode's limitations.

---

82-84: No action needed. The tags configuration has a default value of [] in config.yaml (line 41), so the removal of the // [] fallback is safe. Calling join(",") on an empty array returns an empty string, which is the correct behavior.

Likely an incorrect or invalid review comment.

---

65-66: No action required.

The login_server configuration has a default value in config.yaml ("https://controlplane.tailscale.com"), so the unconditional addition of --login-server="${login_server}" is correct and safe. The bashio::config call will always return a non-empty value (either the default or user-configured value).

Likely an incorrect or invalid review comment.

[lmagyar]

@coderabbitai review

[coderabbitai]

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[coderabbitai]

Actionable comments posted: 2

🤖 Fix all issues with AI agents

In @tailscale/config.yaml:
- Around line 28-43: The advertise_routes setting currently lists local_subnets
which keeps advertising local subnets by default; change advertise_routes (the
key under the options block) to an empty list (i.e., no advertised routes) to
stop advertising subnets by default, and update any related docs/translations
that assume local_subnets is advertised (or explicitly document that advertising
local subnets is intentional if you prefer to keep it).

🧹 Nitpick comments (4)

tailscale/rootfs/etc/s6-overlay/scripts/stage2_hook.sh (3)

10-11: tags→advertise_tags migration: avoid clobbering + make failure handling consistent.

If a user somehow has both tags and advertise_tags, this will overwrite advertise_tags unconditionally. Consider only migrating when advertise_tags is empty/unset, and wrapping the set in try (like share_on_port) to avoid a hard fail on invalid legacy values.

Also applies to: 62-68

---

70-75: Use rm -f for s6 dependency/content removals to make upgrades resilient.

A missing file (already removed by earlier migration / future layout change) would currently fail the hook under set -e.

Proposed change

-    rm /etc/s6-overlay/s6-rc.d/post-tailscaled/dependencies.d/protect-subnets
+    rm -f /etc/s6-overlay/s6-rc.d/post-tailscaled/dependencies.d/protect-subnets
...
-    rm /etc/s6-overlay/s6-rc.d/post-tailscaled/dependencies.d/local-network
+    rm -f /etc/s6-overlay/s6-rc.d/post-tailscaled/dependencies.d/local-network
...
-    rm /etc/s6-overlay/s6-rc.d/user/contents.d/forwarding
+    rm -f /etc/s6-overlay/s6-rc.d/user/contents.d/forwarding
...
-    rm /etc/s6-overlay/s6-rc.d/user/contents.d/mss-clamping
+    rm -f /etc/s6-overlay/s6-rc.d/user/contents.d/mss-clamping
...
-    rm /etc/s6-overlay/s6-rc.d/user/contents.d/taildrop
+    rm -f /etc/s6-overlay/s6-rc.d/user/contents.d/taildrop
...
-    rm /etc/s6-overlay/s6-rc.d/user/contents.d/share-homeassistant
+    rm -f /etc/s6-overlay/s6-rc.d/user/contents.d/share-homeassistant

Also applies to: 80-81, 85-86, 90-91, 95-96, 100-101

---

77-81: Local-network gating for local_subnets looks correct; prefer a “fixed string” grep.

Minor robustness: grep -Fxq local_subnets avoids regex surprises and is a bit clearer.

Proposed change

-if ! bashio::config "advertise_routes" | grep -Eq "^local_subnets$";
+if ! bashio::config "advertise_routes" | grep -Fxq "local_subnets";
 then
     rm /etc/s6-overlay/s6-rc.d/post-tailscaled/dependencies.d/local-network
 fi

tailscale/DOCS.md (1)

43-47: Docs are consistent with the current defaults; verify they match the intended fix scope for #604.

If you decide to change advertise_routes default to [], these sections + the sample config will need to be updated to avoid reintroducing confusion.

Also applies to: 66-87, 132-146, 160-169

📜 Review details

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 173e4ac and 471a26c.

📒 Files selected for processing (5)

• tailscale/DOCS.md
• tailscale/config.yaml
• tailscale/rootfs/etc/s6-overlay/s6-rc.d/post-tailscaled/run
• tailscale/rootfs/etc/s6-overlay/scripts/stage2_hook.sh
• tailscale/translations/en.yaml

🧰 Additional context used

🧠 Learnings (10)

📓 Common learnings

Learnt from: lmagyar
Repo: hassio-addons/addon-tailscale PR: 541
File: tailscale/config.yaml:30-37
Timestamp: 2025-09-16T23:47:20.987Z
Learning: In the hassio-addons/addon-tailscale project, the advertise_routes configuration uses `local_subnets` (with underscore) as the default value, and the runtime regex patterns use `local.subnets` (with dot) which correctly matches the underscore variant because '.' in regex matches any single character including '_'.

Learnt from: lmagyar
Repo: hassio-addons/addon-tailscale PR: 541
File: tailscale/config.yaml:29-30
Timestamp: 2025-11-23T00:06:06.013Z
Learning: In the Home Assistant Tailscale add-on (hassio-addons/addon-tailscale), userspace_networking defaults to true because TUN networking can cause problems and is not needed for basic Home Assistant accessibility. This is an intentional deviation from stock Tailscale's default kernel/TUN networking.

📚 Learning: 2025-09-17T23:53:19.467Z

Learnt from: lmagyar
Repo: hassio-addons/addon-tailscale PR: 509
File: tailscale/config.yaml:0-0
Timestamp: 2025-09-17T23:53:19.467Z
Learning: In the Tailscale add-on config.yaml, there is an intentional naming mismatch between map entries and schema field names: map entries use actual Home Assistant directory names (like `homeassistant_config`, `all_addon_configs`) while schema fields use user-friendly names (like `config`, `addon_configs`). This allows correct directory mapping while presenting cleaner option names in the UI.

Applied to files:

• tailscale/config.yaml
• tailscale/DOCS.md

📚 Learning: 2025-11-23T00:06:06.013Z

Learnt from: lmagyar
Repo: hassio-addons/addon-tailscale PR: 541
File: tailscale/config.yaml:29-30
Timestamp: 2025-11-23T00:06:06.013Z
Learning: In the Home Assistant Tailscale add-on (hassio-addons/addon-tailscale), userspace_networking defaults to true because TUN networking can cause problems and is not needed for basic Home Assistant accessibility. This is an intentional deviation from stock Tailscale's default kernel/TUN networking.

Applied to files:

• tailscale/config.yaml
• tailscale/translations/en.yaml
• tailscale/rootfs/etc/s6-overlay/scripts/stage2_hook.sh
• tailscale/rootfs/etc/s6-overlay/s6-rc.d/post-tailscaled/run
• tailscale/DOCS.md

📚 Learning: 2024-11-15T17:38:56.576Z

Learnt from: lmagyar
Repo: hassio-addons/addon-tailscale PR: 419
File: tailscale/rootfs/command/with-contenv-merge:8-12
Timestamp: 2024-11-15T17:38:56.576Z
Learning: The script `with-contenv-merge` in `tailscale/rootfs/command/` is directly copied from s6 and should not be modified.

Applied to files:

• tailscale/rootfs/etc/s6-overlay/scripts/stage2_hook.sh
• tailscale/rootfs/etc/s6-overlay/s6-rc.d/post-tailscaled/run

📚 Learning: 2025-11-06T10:55:55.062Z

Learnt from: lmagyar
Repo: hassio-addons/addon-tailscale PR: 566
File: tailscale/rootfs/usr/bin/subnet-routes:1-2
Timestamp: 2025-11-06T10:55:55.062Z
Learning: In the hassio-addons/addon-tailscale project, utility scripts in `/usr/bin/` (like `subnet-routes`, `protect-subnet-routes`, `unprotect-subnet-routes`) are invoked from s6-overlay service scripts or NetworkManager dispatchers that already use `#!/command/with-contenv bashio`. These utilities inherit the environment from their parent processes and therefore use `#!/usr/bin/env bashio` rather than `#!/command/with-contenv bashio`.

Applied to files:

• tailscale/rootfs/etc/s6-overlay/scripts/stage2_hook.sh
• tailscale/rootfs/etc/s6-overlay/s6-rc.d/post-tailscaled/run
• tailscale/DOCS.md

📚 Learning: 2025-10-29T20:47:02.818Z

Learnt from: lmagyar
Repo: hassio-addons/addon-tailscale PR: 562
File: tailscale/rootfs/etc/s6-overlay/s6-rc.d/post-tailscaled/run:120-128
Timestamp: 2025-10-29T20:47:02.818Z
Learning: In the hassio-addons/addon-tailscale project, when checking for IPv6 addresses in bash scripts, use the regex format `if [[ "${variable}" =~ .*:.* ]]; then` for consistency with other IPv6 tests in the codebase.

Applied to files:

• tailscale/rootfs/etc/s6-overlay/scripts/stage2_hook.sh
• tailscale/rootfs/etc/s6-overlay/s6-rc.d/post-tailscaled/run

📚 Learning: 2024-10-09T10:32:14.110Z

Learnt from: mikz
Repo: hassio-addons/addon-tailscale PR: 407
File: tailscale/rootfs/etc/s6-overlay/s6-rc.d/init-nginx/run:24-29
Timestamp: 2024-10-09T10:32:14.110Z
Learning: In the Tailscale add-on for Home Assistant, the `tailscale/rootfs` directory is copied into the container's root directory via the Dockerfile, ensuring that files like `/etc/nginx/templates/homeassistant.gtpl` are present at runtime.

Applied to files:

• tailscale/DOCS.md

📚 Learning: 2025-07-28T00:02:02.296Z

Learnt from: lmagyar
Repo: hassio-addons/addon-tailscale PR: 445
File: tailscale/rootfs/etc/s6-overlay/scripts/stage2_hook.sh:24-38
Timestamp: 2025-07-28T00:02:02.296Z
Learning: In Home Assistant add-ons, mandatory configuration options are automatically filled with default values by the supervisor, so there's no need to guard against overwriting user-configured values during migration since the option will always have a value.

Applied to files:

• tailscale/DOCS.md

📚 Learning: 2025-09-16T23:47:20.987Z

Learnt from: lmagyar
Repo: hassio-addons/addon-tailscale PR: 541
File: tailscale/config.yaml:30-37
Timestamp: 2025-09-16T23:47:20.987Z
Learning: In the hassio-addons/addon-tailscale project, the advertise_routes configuration uses `local_subnets` (with underscore) as the default value, and the runtime regex patterns use `local.subnets` (with dot) which correctly matches the underscore variant because '.' in regex matches any single character including '_'.

Applied to files:

• tailscale/DOCS.md

📚 Learning: 2025-06-11T20:37:01.152Z

Learnt from: lmagyar
Repo: hassio-addons/addon-tailscale PR: 455
File: tailscale/rootfs/usr/bin/magicdns-ingress-proxy-forwarding:100-106
Timestamp: 2025-06-11T20:37:01.152Z
Learning: In the Home Assistant Tailscale add-on, DNATing DNS packets to port 0 (e.g. `--to-destination 127.0.0.1:0`) is an intentional technique to drop traffic. iptables accepts port 0, rewrites the destination port to 0, and the packet is rejected by the stack, effectively discarding it. This is valid and should not be flagged as an error in future reviews.

Applied to files:

• tailscale/DOCS.md

🔇 Additional comments (4)

tailscale/config.yaml (1)

45-48: Making booleans explicit/non-nullable should help avoid “presence-driven” surprises.

This aligns well with the move in scripts to rely on explicit true/false checks. (And per add-on behavior, missing options should be filled from defaults anyway.)

Also applies to: 54-61

tailscale/translations/en.yaml (1)

8-8: Wording matches the new defaults; good alignment with the “explicit booleans” shift.

Only callout: the advertise_routes text explicitly states local subnets are advertised by default—make sure that’s the intended long-term behavior (ties back to whether #604 should consider this fixed).

Also applies to: 14-15, 22-29, 35-42, 67-68, 75-76, 83-84, 90-91, 96-97, 104-105

tailscale/rootfs/etc/s6-overlay/s6-rc.d/post-tailscaled/run (2)

19-32: Good move to explicit true/false flags—should eliminate presence-driven defaults.

This looks like the right direction for fixing the “toggle off but still enabled” class of issues.

Also applies to: 40-46, 57-63, 65-80, 146-149, 169-178

---

82-90: No issues found with Tailscale CLI compatibility.

The pinned Tailscale version (v1.90.8) officially supports empty values for --advertise-tags= to clear tags, and supports the --flag=false syntax used throughout the script (lines 23, 30, 44, 61, 72, 79). These are documented patterns in the CLI, and the code is compatible with v1.90.8 as-is.

[lmagyar]

@coderabbitai review

[coderabbitai]

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[coderabbitai]

Actionable comments posted: 1

🤖 Fix all issues with AI agents

In `@tailscale/DOCS.md`:
- Around line 150-151: Fix the grammar in the admin-console note by replacing
the incorrect phrase "you also has to enable them" with "you also have to enable
them" in the DOCS admin console note string (the sentence beginning "**Note:**
After you add subnets to this option, you also has to enable them on Tailscale's
admin console.").

[coderabbitai]

Actionable comments posted: 1

🤖 Fix all issues with AI agents

In `@tailscale/rootfs/etc/s6-overlay/scripts/stage2_hook.sh`:
- Around line 63-74: The migration currently always writes advertise_tags from
tags which can overwrite a user-provided advertise_tags; change the logic in the
stage2_hook.sh block that reads tags to first check whether advertise_tags is
already set (e.g., get current value via bashio::addon.option 'advertise_tags'
or bashio::jq) and only call try bashio::addon.option 'advertise_tags'
"^${tags}" when advertise_tags is empty/unspecified; regardless of that
decision, still call bashio::addon.option 'tags' to remove the old key, and
preserve the existing TRY_ERROR handling and logging paths (log a message when
skipping the rename due to existing advertise_tags).

🧹 Nitpick comments (1)

tailscale/DOCS.md (1)

51-73: Make the example reflect advertise_routes being disabled by default.
The snippet shows active subnets, which can be read as defaults now that other defaults are explicitly set to false. Consider using [] with commented examples.

Suggested edit

-advertise_routes:
-  - local_subnets
-  - 192.168.1.0/24
-  - fd12:3456:abcd::/64
+advertise_routes: []
+#  - local_subnets
+#  - 192.168.1.0/24
+#  - fd12:3456:abcd::/64

[lmagyar]

I mark it as draft to "prevent" it from merging.

First we need a new release with the mandatory options PR copying the current default values to the config yaml.

Then we have to wait a few months until most users update to that version, the missing default values are filled in, then we can change the defaults, this way we won't change the behaviour of most of the existing installations.

[lmagyar]

I think it's time to make it non-draft.