feat(tailscale): add connect/disconnect, exit-node and LAN-access controls (#2644)

* feat(tailscale): add connect/disconnect/exit-node/LAN-access backend

The Tailscale backend previously exposed only read-only status
(tailscale.getStatus, tailscale.refresh). This adds write actions through the
existing tailscale.com/client/local integration:

- tailscale.connect / tailscale.disconnect (EditPrefs WantRunning)
- tailscale.setExitNode (EditPrefs ExitNodeID; empty id clears it and any
  legacy ExitNodeIP, mirroring `tailscale set --exit-node`)
- tailscale.setAllowLanAccess (EditPrefs ExitNodeAllowLANAccess)

The manager's client interface gains GetPrefs/EditPrefs; fetchState merges
ExitNodeAllowLANAccess from prefs, and Peer exposes ExitNodeOption so the UI
can list exit-node-capable peers.

* feat(tailscale): expose the new actions in TailscaleService

Adds connectTailscale/disconnectTailscale, setExitNode/clearExitNode and
setAllowLanAccess wrappers, plus derived exitNodeOptions/currentExitNode and the
exitNodeAllowLanAccess state. Write-action errors surface via ToastService.

* feat(tailscale): add connection, exit-node and LAN-access controls to the widget

The control-center widget toggle was a no-op. It now connects/disconnects, and
the detail panel gains a connection status row with a connect/disconnect button,
an exit-node picker and a LAN-access toggle.

core/internal/server/tailscale/manager.go

@@ -11,6 +11,7 @@ import (
 	"tailscale.com/client/local"
 	"tailscale.com/ipn"
 	"tailscale.com/ipn/ipnstate"
+	"tailscale.com/tailcfg"
 )
 
 const (
@@ -22,6 +23,8 @@ const (
 type tailscaleClient interface {
 	WatchIPNBus(ctx context.Context, mask ipn.NotifyWatchOpt) (ipnBusWatcher, error)
 	Status(ctx context.Context) (*ipnstate.Status, error)
+	GetPrefs(ctx context.Context) (*ipn.Prefs, error)
+	EditPrefs(ctx context.Context, mp *ipn.MaskedPrefs) (*ipn.Prefs, error)
 }
 
 // ipnBusWatcher abstracts the IPN bus watcher for testing.
@@ -43,6 +46,14 @@ func (w *localClientWrapper) Status(ctx context.Context) (*ipnstate.Status, erro
 	return w.client.Status(ctx)
 }
 
+func (w *localClientWrapper) GetPrefs(ctx context.Context) (*ipn.Prefs, error) {
+	return w.client.GetPrefs(ctx)
+}
+
+func (w *localClientWrapper) EditPrefs(ctx context.Context, mp *ipn.MaskedPrefs) (*ipn.Prefs, error) {
+	return w.client.EditPrefs(ctx, mp)
+}
+
 // Manager manages Tailscale state via IPN bus events and subscriber notifications.
 type Manager struct {
 	state                *TailscaleState
@@ -169,16 +180,36 @@ func (m *Manager) fetchAndBroadcast(ctx context.Context) {
 	statusCtx, cancel := context.WithTimeout(ctx, statusTimeout)
 	defer cancel()
 
-	status, err := m.client.Status(statusCtx)
+	state, err := m.fetchState(statusCtx)
 	if err != nil {
 		log.Warnf("[Tailscale] Failed to fetch status: %v", err)
 		return
 	}
 
-	state := convertStatus(status)
 	m.updateState(state)
 }
 
+// fetchState fetches the current status and merges in pref-derived fields
+// (e.g. exit-node LAN access) that are not present in the IPN status itself.
+func (m *Manager) fetchState(ctx context.Context) (*TailscaleState, error) {
+	status, err := m.client.Status(ctx)
+	if err != nil {
+		return nil, err
+	}
+
+	state := convertStatus(status)
+
+	// Prefs carry the exit-node LAN-access toggle, which the status does not
+	// expose. Treat a prefs failure as non-fatal so status still updates.
+	if prefs, err := m.client.GetPrefs(ctx); err != nil {
+		log.Warnf("[Tailscale] Failed to fetch prefs: %v", err)
+	} else if prefs != nil {
+		state.ExitNodeAllowLANAccess = prefs.ExitNodeAllowLANAccess
+	}
+
+	return state, nil
+}
+
 func (m *Manager) updateState(state *TailscaleState) {
 	m.stateMutex.Lock()
 	m.state = state
@@ -266,12 +297,62 @@ func (m *Manager) RefreshState() {
 	ctx, cancel := context.WithTimeout(m.ctx, statusTimeout)
 	defer cancel()
 
-	status, err := m.client.Status(ctx)
+	state, err := m.fetchState(ctx)
 	if err != nil {
 		log.Warnf("[Tailscale] Failed to refresh state: %v", err)
 		return
 	}
 
-	state := convertStatus(status)
 	m.updateState(state)
 }
+
+// Connect brings the Tailscale backend up (WantRunning = true).
+func (m *Manager) Connect() error {
+	return m.editPrefs(&ipn.MaskedPrefs{
+		Prefs:          ipn.Prefs{WantRunning: true},
+		WantRunningSet: true,
+	})
+}
+
+// Disconnect brings the Tailscale backend down (WantRunning = false).
+func (m *Manager) Disconnect() error {
+	return m.editPrefs(&ipn.MaskedPrefs{
+		Prefs:          ipn.Prefs{WantRunning: false},
+		WantRunningSet: true,
+	})
+}
+
+// SetExitNode selects the exit node identified by its stable node ID. An empty
+// id clears the current exit node. Mirrors `tailscale set --exit-node=<id>`,
+// which also clears any legacy IP-based exit node so a stale ExitNodeIP cannot
+// silently take precedence over the now-empty ID.
+func (m *Manager) SetExitNode(id string) error {
+	return m.editPrefs(&ipn.MaskedPrefs{
+		Prefs:         ipn.Prefs{ExitNodeID: tailcfg.StableNodeID(id)},
+		ExitNodeIDSet: true,
+		ExitNodeIPSet: true,
+	})
+}
+
+// SetAllowLANAccess toggles whether locally accessible subnets remain
+// reachable while an exit node is in use.
+func (m *Manager) SetAllowLANAccess(enabled bool) error {
+	return m.editPrefs(&ipn.MaskedPrefs{
+		Prefs:                     ipn.Prefs{ExitNodeAllowLANAccess: enabled},
+		ExitNodeAllowLANAccessSet: true,
+	})
+}
+
+// editPrefs applies a masked prefs edit and refreshes state so subscribers see
+// the result immediately, in addition to the IPN bus notification it triggers.
+func (m *Manager) editPrefs(mp *ipn.MaskedPrefs) error {
+	ctx, cancel := context.WithTimeout(m.ctx, statusTimeout)
+	defer cancel()
+
+	if _, err := m.client.EditPrefs(ctx, mp); err != nil {
+		return err
+	}
+
+	m.RefreshState()
+	return nil
+}