Add headscale ACLs

Tags are managed entirely server side, so there's no priv esc issues.

This lets my devices do what they want, and server style devices can't do anything.

ansible/roles/headscale/files/acls.json

@@ -0,0 +1,13 @@
+{
+    "tagOwners": {
+        "tag:client": []
+
+    },
+    "acls": [
+        {
+            "action": "accept",
+            "src": ["tag:client"],
+            "dst": ["*:*"]
+        }
+    ]
+}

ansible/roles/headscale/files/headscale.yml

@@ -188,7 +188,7 @@ log:
 # Path to a file containg ACL policies.
 # ACLs can be defined as YAML or HUJSON.
 # https://tailscale.com/kb/1018/acls/
-acl_policy_path: ""
+acl_policy_path: "/etc/headscale/acls.json"
 
 ## DNS
 #

ansible/roles/headscale/tasks/main.yml

@@ -11,7 +11,16 @@
     src: files/headscale.yml
     dest: /etc/headscale/config.yaml
     owner: headscale
-    mode: "0644"
+    mode: "0600"
+  notify: restart headscale
+  become: true
+
+- name: Install ACLs
+  template:
+    src: files/acls.json
+    dest: /etc/headscale/acls.json
+    owner: headscale
+    mode: "0600"
   notify: restart headscale
   become: true