Headscale: Add ACLs to isolate tunneled traffic from homelab traffic.

Ferris is no longer able to access any devices on the home network other than duke.
This makes sure that even if ferris got compromised, the other devices would be safe(r)

.gitignore

@@ -1,2 +1,3 @@
 data/
 .env
+01-headscale/config/.acl.json.swp

01-headscale/config/acl.json

@@ -0,0 +1,32 @@
+{
+	"tagOwners": {
+		"tag:ferris": ["weckyy702@"]
+	},
+
+	"hosts": {
+		"duke.veltnet": "10.10.0.135/32",
+		"homenet": "10.10.0.0/16"
+	},
+
+	"acls": [
+		/*Untagged devices have access to everything*/
+		{
+			"action": "accept",
+			"src": ["autogroup:member"],
+			"dst": [
+				"autogroup:internet:*",
+				"autogroup:member:*",
+				"autogroup:tagged:*",
+				"homenet:*"
+			]
+		},
+		/*Ferris can only access the services hosted on duke*/
+		{
+			"action": "accept",
+			"src": ["tag:ferris"],
+			"dst": [
+				"duke.veltnet:*"
+			]
+		}
+	]
+}

01-headscale/config/config.yaml

@@ -20,7 +20,7 @@ listen_addr: 0.0.0.0:8080
 
 # Address to listen to /metrics and /debug, you may want
 # to keep this endpoint private to your internal network
-metrics_listen_addr: 0.0.0.0:9090
+# metrics_listen_addr: 0.0.0.0:9090
 
 # Address to listen for gRPC.
 # gRPC is used for controlling a headscale server
@@ -243,7 +243,7 @@ policy:
   mode: file
   # If the mode is set to "file", the path to a
   # HuJSON file containing ACL policies.
-  path: ""
+  path: "/etc/headscale/acl.json"
 
 ## DNS
 #