polpetta/server-dotfiles
2
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

feat: additional iteration over acl, now simpler
All checks were successful
continuous-integration/drone/push Build is passing
Details

Browse Source
This commit is contained in:
Davide Polonio 2025-05-01 18:07:09 +02:00
parent 67e8b43807
commit a9d15d5ca1
1 changed files with 5 additions and 23 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

28
headscale/acl.json
View File

@ -8,18 +8,16 @@
"tagOwners": { "tagOwners": {
"tag:web": ["group:admin"], "tag:web": ["group:admin"],
"tag:dns": ["group:admin"], "tag:dns": ["group:admin"],
"tag:web": ["group:admin"], "tag:exitnode": ["group:admin"],
"tag:game": ["group:admin", "group:family"] "tag:game": ["group:admin", "group:family"]
}, },
"acls": [ "acls": [
// Family and admin should be able to access every service // Family and admin should be able to access everything
{ {
"action": "accept", "action": "accept",
"src": ["group:admin", "group:family"], "src": ["group:admin", "group:family"],
"dst": [ "dst": [
"tag:web:*", "*:*"
"tag:dns:*",
"tag:exitnode:*"
] ]
}, },
// External can access only hosted games // External can access only hosted games
@ -30,30 +28,14 @@
"tag:game:*" "tag:game:*"
] ]
}, },
// And possibly the DNS server (or we break their internet connection) // Everyone should access DNS server (or we break their internet connection)
{ {
"action": "accept", "action": "accept",
"src": ["group:external"], "src": ["*"],
"proto": "udp", "proto": "udp",
"dst": [ "dst": [
"tag:dns:53" "tag:dns:53"
] ]
},
// Web services should be able to make DNS queries
{
"action": "accept",
"src": ["tag:web"],
"proto": "udp",
"dst": [
"tag:dns:53"
]
},
{
"action": "accept",
"src": ["group:family"],
"dst": [
"group:family:*"
]
} }
] ]
} }