ACLs

compose.yml

@@ -82,6 +82,8 @@ services:
     restart: unless-stopped
     ports:
       - "127.0.0.1:9200:9200"
+    environment:
+      HEADSCALE_EXPERIMENTAL_FEATURE_SSH: "1"
     volumes:
       - ./etc/headscale:/etc/headscale
       - headscale_data:/var/lib/headscale

etc/headscale/acls.json

@@ -0,0 +1,17 @@
+{
+  "acls": [
+    {
+      "action": "accept",
+      "src": ["*"],
+      "dst": ["*:*"]
+    }
+  ],
+  "ssh": [
+    {
+      "action": "accept",
+      "src": ["autogroup:members"],
+      "dst": ["autogroup:self"],
+      "users": ["root", "autogroup:nonroot"]
+    }
+  ]
+}

etc/headscale/config.yaml

@@ -1,6 +1,7 @@
 server_url: https://net.fogtype.com
 listen_addr: 0.0.0.0:8080
 metrics_listen_addr: 0.0.0.0:9200
+acl_policy_path: /etc/headscale/acls.json
 db_type: sqlite3
 db_path: /var/lib/headscale/db.sqlite
 private_key_path: /var/lib/headscale/private.key