From 8ec1d7eefcb7a20ee9e3343204c910067bcefd41 Mon Sep 17 00:00:00 2001
From: Kohei Watanabe <nebel@fogtype.com>
Date: Fri, 5 May 2023 23:33:03 +0900
Subject: [PATCH] ACLs

---
 compose.yml               |  2 ++
 etc/headscale/acls.json   | 17 +++++++++++++++++
 etc/headscale/config.yaml |  1 +
 3 files changed, 20 insertions(+)
 create mode 100644 etc/headscale/acls.json

diff --git a/compose.yml b/compose.yml
index 6c1cac5..1a2de8c 100644
--- a/compose.yml
+++ b/compose.yml
@@ -82,6 +82,8 @@ services:
     restart: unless-stopped
     ports:
       - "127.0.0.1:9200:9200"
+    environment:
+      HEADSCALE_EXPERIMENTAL_FEATURE_SSH: "1"
     volumes:
       - ./etc/headscale:/etc/headscale
       - headscale_data:/var/lib/headscale
diff --git a/etc/headscale/acls.json b/etc/headscale/acls.json
new file mode 100644
index 0000000..5169ed6
--- /dev/null
+++ b/etc/headscale/acls.json
@@ -0,0 +1,17 @@
+{
+  "acls": [
+    {
+      "action": "accept",
+      "src": ["*"],
+      "dst": ["*:*"]
+    }
+  ],
+  "ssh": [
+    {
+      "action": "accept",
+      "src": ["autogroup:members"],
+      "dst": ["autogroup:self"],
+      "users": ["root", "autogroup:nonroot"]
+    }
+  ]
+}
diff --git a/etc/headscale/config.yaml b/etc/headscale/config.yaml
index 804ec86..cdcb553 100644
--- a/etc/headscale/config.yaml
+++ b/etc/headscale/config.yaml
@@ -1,6 +1,7 @@
 server_url: https://net.fogtype.com
 listen_addr: 0.0.0.0:8080
 metrics_listen_addr: 0.0.0.0:9200
+acl_policy_path: /etc/headscale/acls.json
 db_type: sqlite3
 db_path: /var/lib/headscale/db.sqlite
 private_key_path: /var/lib/headscale/private.key