feat: first vpn acl setup

2025-05-01 17:06:55 +02:00 · 2025-05-01 17:06:55 +02:00 · 23a08ba8f2
commit 23a08ba8f2
parent a07f21af3b
1 changed files with 60 additions and 0 deletions
--- a/headscale/acl.json
+++ b/headscale/acl.json
@ -0,0 +1,60 @@
+{
+	"groups": {
+		"group:admin": ["davide"],
+		"group:family": ["davide", "dario"],
+		"group:services": ["services"],
+		"group:external": []
+	},
+	"tagOwners": {
+		"tag:web": ["group:admin"],
+		"tag:dns": ["group:admin"],
+		"tag:web": ["group:admin"],
+		"tag:game": ["group:admin", "group:family"]
+	},
+	"acls": [
+		// Family and admin should be able to access every service
+		{
+			"action": "accept",
+			"src": ["group:admin", "group:family"],
+			"dst": [
+				"tag:web:*",
+				"tag:dns:*",
+				"tag:exitnode:*"
+			]
+		},
+		// External can access only hosted games
+		{
+			"action": "accept",
+			"src": ["group:external"],
+			"dst": [
+				"tag:game:*"
+			]
+		},
+		// And possibly the DNS server (or we break their internet connection)
+		{
+			"action": "accept",
+			"src": ["group:external"],
+			"proto": "udp",
+			"dst": [
+				"tag:dns:53"
+			]
+		},
+		// Web services should be able to make DNS queries
+		{
+			"action": "accept",
+			"src": ["tag:web"],
+			"proto": "udp",
+			"dst": [
+				"tag:dns:53"
+			]
+		},
+		{
+			"action": "accept",
+			"src": ["davide", "dario"],
+			"dst": [
+				"davide:*",
+				"dario:*"
+			]
+		}
+	]
+}