Add headscale ACLs
Some checks failed
/ ansible (push) Failing after 39s
/ terraform (push) Failing after 46s

Tags are managed entirely server side, so there's no priv esc issues.

This lets my devices do what they want, and server style devices can't do anything.
This commit is contained in:
Jake Howard 2024-04-20 15:46:21 +01:00
parent 7bc0ebeb26
commit 7c8d224c4a
Signed by: jake
GPG key ID: 57AFB45680EDD477
3 changed files with 24 additions and 2 deletions

View file

@ -0,0 +1,13 @@
{
"tagOwners": {
"tag:client": []
},
"acls": [
{
"action": "accept",
"src": ["tag:client"],
"dst": ["*:*"]
}
]
}

View file

@ -188,7 +188,7 @@ log:
# Path to a file containg ACL policies. # Path to a file containg ACL policies.
# ACLs can be defined as YAML or HUJSON. # ACLs can be defined as YAML or HUJSON.
# https://tailscale.com/kb/1018/acls/ # https://tailscale.com/kb/1018/acls/
acl_policy_path: "" acl_policy_path: "/etc/headscale/acls.json"
## DNS ## DNS
# #

View file

@ -11,7 +11,16 @@
src: files/headscale.yml src: files/headscale.yml
dest: /etc/headscale/config.yaml dest: /etc/headscale/config.yaml
owner: headscale owner: headscale
mode: "0644" mode: "0600"
notify: restart headscale
become: true
- name: Install ACLs
template:
src: files/acls.json
dest: /etc/headscale/acls.json
owner: headscale
mode: "0600"
notify: restart headscale notify: restart headscale
become: true become: true