From 2a9cfc1fe5f4a9c8d1d54825f6cd170ff6cd8c62 Mon Sep 17 00:00:00 2001
From: Konstantin Veltmann <7jlpiyc9@gmail.com>
Date: Fri, 20 Feb 2026 11:23:16 +0000
Subject: [PATCH] Headscale: Add ACLs to isolate tunneled traffic from homelab
 traffic.

Ferris is no longer able to access any devices on the home network other than duke.
This makes sure that even if ferris got compromised, the other devices would be safe(r)
---
 .gitignore                      |  1 +
 01-headscale/config/acl.json    | 32 ++++++++++++++++++++++++++++++++
 01-headscale/config/config.yaml |  4 ++--
 3 files changed, 35 insertions(+), 2 deletions(-)
 create mode 100644 01-headscale/config/acl.json

diff --git a/.gitignore b/.gitignore
index 0c54f60..f7bafcd 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,2 +1,3 @@
 data/
 .env
+01-headscale/config/.acl.json.swp
diff --git a/01-headscale/config/acl.json b/01-headscale/config/acl.json
new file mode 100644
index 0000000..3b22347
--- /dev/null
+++ b/01-headscale/config/acl.json
@@ -0,0 +1,32 @@
+{
+	"tagOwners": {
+		"tag:ferris": ["weckyy702@"]
+	},
+
+	"hosts": {
+		"duke.veltnet": "10.10.0.135/32",
+		"homenet": "10.10.0.0/16"
+	},
+
+	"acls": [
+		/*Untagged devices have access to everything*/
+		{
+			"action": "accept",
+			"src": ["autogroup:member"],
+			"dst": [
+				"autogroup:internet:*",
+				"autogroup:member:*",
+				"autogroup:tagged:*",
+				"homenet:*"
+			]
+		},
+		/*Ferris can only access the services hosted on duke*/
+		{
+			"action": "accept",
+			"src": ["tag:ferris"],
+			"dst": [
+				"duke.veltnet:*"
+			]
+		}
+	]
+}
diff --git a/01-headscale/config/config.yaml b/01-headscale/config/config.yaml
index d69714a..8dfa07b 100644
--- a/01-headscale/config/config.yaml
+++ b/01-headscale/config/config.yaml
@@ -20,7 +20,7 @@ listen_addr: 0.0.0.0:8080
 
 # Address to listen to /metrics and /debug, you may want
 # to keep this endpoint private to your internal network
-metrics_listen_addr: 0.0.0.0:9090
+# metrics_listen_addr: 0.0.0.0:9090
 
 # Address to listen for gRPC.
 # gRPC is used for controlling a headscale server
@@ -243,7 +243,7 @@ policy:
   mode: file
   # If the mode is set to "file", the path to a
   # HuJSON file containing ACL policies.
-  path: ""
+  path: "/etc/headscale/acl.json"
 
 ## DNS
 #