Add docs for policy-wide options and node attributes

docs/about/features.md

@@ -33,6 +33,7 @@ provides on overview of Headscale's feature and compatibility with the Tailscale
       routers](../ref/routes.md#automatically-approve-routes-of-a-subnet-router) and [exit
       nodes](../ref/routes.md#automatically-approve-an-exit-node-with-auto-approvers)
     - [x] [Tailscale SSH](https://tailscale.com/docs/features/tailscale-ssh)
+    - [x] [Node attributes](../ref/policy.md#node-attributes)
     - [x] [Tests](https://tailscale.com/docs/reference/syntax/policy-file#tests) and
       [sshTests](https://tailscale.com/docs/reference/syntax/policy-file#ssh-tests)
 - [x] [Node registration using Single-Sign-On (OpenID Connect)](../ref/oidc.md) ([GitHub label "OIDC"](https://github.com/juanfont/headscale/labels/OIDC))

docs/ref/policy.md

@@ -196,5 +196,54 @@ Used in Tailscale SSH rules to allow access to any user except root. Can only be
 This autogroup resolves to all IP addresses (`0.0.0.0/0` and `::/0`) which also includes all IP addresses outside the
 standard Tailscale IP ranges. This autogroup can only be used as source.
 
+## Node Attributes
+
+[Node attributes](https://tailscale.com/docs/reference/syntax/policy-file#node-attributes) allow for device-specific
+configuration and attributes. At least the following node attributes are currently supported by Headscale[^2]:
+
+- `drive:access`, `drive:share`: [Taildrive support](https://tailscale.com/docs/features/taildrive).
+- `nextdns:<profile>`, `nextdns:no-device-info`: [NextDNS integration](https://tailscale.com/docs/integrations/nextdns).
+  Be sure to set NextDNS as global resolver in the [configuration](configuration.md).
+- `magicdns-aaaa`: Respond to AAAA queries on the local [MagicDNS](https://tailscale.com/docs/features/magicdns)
+  resolver at 100.100.100.100.
+- `disable-ipv4`: Selectively disable IPv4 for specfic nodes. This is may be useful to workaround [CGNat
+  conflicts](https://tailscale.com/docs/reference/troubleshooting/network-configuration/cgnat-conflicts).
+- `randomize-client-port`: Allocate a [random port for WireGuard
+  traffic](https://tailscale.com/docs/reference/syntax/policy-file#randomizeclientport) instead of the static default
+  port 41641.
+- `disable-captive-portal-detection`: [Disable automatic captive portal
+  detection](https://tailscale.com/docs/integrations/captive-portals#disable-captive-portal-detection).
+
+```json title="policy.json"
+{
+  "nodeAttrs": [
+    {
+      // Enable MagicDNS AAAA records for all nodes
+      "target": ["*"]
+      "attr": ["magicdns-aaaa"]
+    }
+  ]
+}
+```
+
+## Network-wide policy options
+
+The following options are applied for the entire tailnet. Consider [node attributes](#node-attributes) for a more
+fine-grained configuration instead.
+
+- `randomizeClientPort`: Allocate a [random port for WireGuard
+  traffic](https://tailscale.com/docs/reference/syntax/policy-file#randomizeclientport) instead of the static default
+  port 41641.
+
+```json title="policy.json"
+{
+  // Use a random WireGuard port for the entire tailnet
+  "randomizeClientPort": true
+}
+```
+
 [^1]: Headscale also allows to store the policy in the database. This is typically only required in case a [web
     interface](integration/web-ui.md) is used.
+
+[^2]: Other key-only node attributes can be used as well. Find them in the client source code with `grep -E '^\s+NodeAttr\w+' tailcfg/tailcfg.go` or by using [GitHub code search (requires
+    login)](https://github.com/search?q=repo%3Atailscale%2Ftailscale%20language%3Ago%20path%3Atailcfg%2Ftailcfg.go%20symbol%3A%2FNodeAttr%5Cw%2B%2F&type=code).