feat: additional iteration over acl, now simpler

feat: link new acl config
feat: first vpn acl setup
2025-05-01 18:07:09 +02:00 · 2025-05-01 17:42:03 +02:00 · 2025-05-01 17:06:55 +02:00
2 changed files with 45 additions and 1 deletions
--- a/headscale/acl.json
+++ b/headscale/acl.json
@ -0,0 +1,41 @@
 {
 	"groups": {
 		"group:admin": ["davide"],
 		"group:family": ["davide", "dario"],
 		"group:services": ["services"],
 		"group:external": []
 	},
 	"tagOwners": {
 		"tag:web": ["group:admin"],
 		"tag:dns": ["group:admin"],
 		"tag:exitnode": ["group:admin"],
 		"tag:game": ["group:admin", "group:family"]
 	},
 	"acls": [
 		// Family and admin should be able to access everything
 		{
 			"action": "accept",
 			"src": ["group:admin", "group:family"],
 			"dst": [
 				"*:*"
 			]
 		},
 		// External can access only hosted games
 		{
 			"action": "accept",
 			"src": ["group:external"],
 			"dst": [
 				"tag:game:*"
 			]
 		},
 		// Everyone should access DNS server (or we break their internet connection)
 		{
 			"action": "accept",
 			"src": ["*"],
 			"proto": "udp",
 			"dst": [
 				"tag:dns:53"
 			]
 		}
 	]
 }
--- a/headscale/config.yaml
+++ b/headscale/config.yaml
@ -213,7 +213,7 @@ policy:
  mode: file
  # If the mode is set to "file", the path to a
  # HuJSON file containing ACL policies.
-  path: ""
+  path: "/etc/headscale/acl.json"
 ## DNS
 #
@ -279,6 +279,9 @@ dns:
    - name: "pi.hole"
      type: "A"
      value: "100.64.0.4"
    - name: "pihole.lan.poldebra.me"
      type: "A"
      value: "100.64.0.4"
  # - name: "grafana.myvpn.example.com"
  #   type: "A"
  #   value: "100.64.0.3"
Author	SHA1	Message	Date
Davide Polonio	a9d15d5ca1	feat: additional iteration over acl, now simpler All checks were successful continuous-integration/drone/push Build is passing Details	2025-05-01 18:07:09 +02:00
Davide Polonio	67e8b43807	feat: link new acl config	2025-05-01 17:42:03 +02:00
Davide Polonio	23a08ba8f2	feat: first vpn acl setup	2025-05-01 17:06:55 +02:00