TheArchive/headscale
1
0
Fork 0
mirror of https://github.com/juanfont/headscale.git synced 2025-12-23 22:56:10 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
19bb596db38dde0af7bf53a72e0eeef65736bc15
headscale/development/ref/acls/index.html

165 lines
74 KiB
HTML
Raw Normal View History

Deployed abed5346 to development with MkDocs 1.6.1 and mike 2.1.3
2025-11-11 10:52:12 +00:00
<!doctype html><html lang=en class=no-js> <head><meta charset=utf-8><meta name=viewport content="width=device-width,initial-scale=1"><meta name=description content="An open source, self-hosted implementation of the Tailscale control server."><meta name=author content="Headscale authors"><link href=https://juanfont.github.io/headscale/development/ref/acls/ rel=canonical><link href=../tls/ rel=prev><link href=../dns/ rel=next><link rel=icon href=../../assets/favicon.png><meta name=generator content="mkdocs-1.6.1, mkdocs-material-9.7.0"><title>ACLs - Headscale</title><link rel=stylesheet href=../../assets/stylesheets/main.618322db.min.css><link rel=stylesheet href=../../assets/stylesheets/palette.ab4e12ef.min.css><link rel=preconnect href=https://fonts.gstatic.com crossorigin><link rel=stylesheet href="https://fonts.googleapis.com/css?family=Roboto:300,300i,400,400i,700,700i%7CRoboto+Mono:400,400i,700,700i&display=fallback"><style>:root{--md-text-font:"Roboto";--md-code-font:"Roboto Mono"}</style><script>__md_scope=new URL("../..",location),__md_hash=e=>[...e].reduce(((e,_)=>(e<<5)-e+_.charCodeAt(0)),0),__md_get=(e,_=localStorage,t=__md_scope)=>JSON.parse(_.getItem(t.pathname+"."+e)),__md_set=(e,_,t=localStorage,a=__md_scope)=>{try{t.setItem(a.pathname+"."+e,JSON.stringify(_))}catch(e){}}</script><meta property=og:type content=website><meta property=og:title content="ACLs - Headscale"><meta property=og:description content="An open source, self-hosted implementation of the Tailscale control server."><meta property=og:image content=https://juanfont.github.io/headscale/development/assets/images/social/ref/acls.png><meta property=og:image:type content=image/png><meta property=og:image:width content=1200><meta property=og:image:height content=630><meta content=https://juanfont.github.io/headscale/development/ref/acls/ property=og:url><meta property=twitter:card content=summary_large_image><meta property=twitter:title content="ACLs - Headscale"><meta property=twitter:description content="An open source, self-hosted implementation of the Tailscale control server."><meta property=twitter:image content=https://juanfont.github.io/headscale/development/assets/images/social/ref/acls.png></head> <body dir=ltr data-md-color-scheme=default data-md-color-primary=white data-md-color-accent=indigo> <input class=md-toggle data-md-toggle=drawer type=checkbox id=__drawer autocomplete=off> <input class=md-toggle data-md-toggle=search type=checkbox id=__search autocomplete=off> <label class=md-overlay for=__drawer></label> <div data-md-component=skip> <a href=#acl-setup class=md-skip> Skip to content </a> </div> <div data-md-component=announce> </div> <div data-md-color-scheme=default data-md-component=outdated hidden> </div> <header class=md-header data-md-component=header> <nav class="md-header__inner md-grid" aria-label=Header> <a href=../.. title=Headscale class="md-header__button md-logo" aria-label=Headscale data-md-component=logo> <img src=../../logo/headscale3-dots.svg alt=logo> </a> <label class="md-header__button md-icon" for=__drawer> <svg xmlns=http://www.w3.org/2000/svg viewbox="0 0 24 24"><path d="M3 6h18v2H3zm0 5h18v2H3zm0 5h18v2H3z"/></svg> </label> <div class=md-header__title data-md-component=header-title> <div class=md-header__ellipsis> <div class=md-header__topic> <span class=md-ellipsis> Headscale </span> </div> <div class=md-header__topic data-md-component=header-topic> <span class=md-ellipsis> ACLs </span> </div> </div> </div> <form class=md-header__option data-md-component=palette> <input class=md-option data-md-color-media data-md-color-scheme=default data-md-color-primary=white data-md-color-accent=indigo aria-label="Switch to dark mode" type=radio name=__palette id=__palette_0> <label class="md-header__button md-icon" title="Switch to dark mode" for=__palette_1 hidden> <svg xmlns=http://www.w3.org/2000/svg viewbox="0 0 24 24"><path d="M12 8a4 4 0 0 0-4 4 4 4 0 0 0 4 4 4 4 0 0 0 4-4 4 4 0 0 0-4-4m0 10a6 6 0 0 1-6-6 6 6 0 0 1 6-6 6 6 0 0 1 6 6 6 6 0 0 1-6 6m8-9.31V4h-4.69L12 .69 8.69 4H4v4.69L.69 12 4 15.31V20h4.69L12 23
Deployed 3e3c72ea to development with MkDocs 1.6.1 and mike 2.1.3
2025-08-18 14:32:53 +00:00
</span></code></pre></div> </li> <li> <p><a href=https://tailscale.com/kb/1192/acl-samples#deny-all><strong>Deny All</strong></a>: To prevent all communication within your tailnet, you can include an empty array for the <code>"acls"</code> field in your policy file.</p> <div class="language-json highlight"><pre><span></span><code><span id=__span-1-1><a id=__codelineno-1-1 name=__codelineno-1-1 href=#__codelineno-1-1></a><span class=p>{</span>
</span><span id=__span-1-2><a id=__codelineno-1-2 name=__codelineno-1-2 href=#__codelineno-1-2></a><span class=w> </span><span class=nt>&quot;acls&quot;</span><span class=p>:</span><span class=w> </span><span class=p>[]</span>
</span><span id=__span-1-3><a id=__codelineno-1-3 name=__codelineno-1-3 href=#__codelineno-1-3></a><span class=p>}</span>
</span></code></pre></div> </li> </ul> <h2 id=complex-example>Complex Example<a class=headerlink href=#complex-example title="Permanent link">&para;</a></h2> <p>Let's build a more complex example use case for a small business (It may be the place where ACL's are the most useful).</p> <p>We have a small company with a boss, an admin, two developers and an intern.</p> <p>The boss should have access to all servers but not to the user's hosts. Admin should also have access to all hosts except that their permissions should be limited to maintaining the hosts (for example purposes). The developers can do anything they want on dev hosts but only watch on productions hosts. Intern can only interact with the development servers.</p> <p>There's an additional server that acts as a router, connecting the VPN users to an internal network <code>10.20.0.0/16</code>. Developers must have access to those internal resources.</p> <p>Each user have at least a device connected to the network and we have some servers.</p> <ul> <li>database.prod</li> <li>database.dev</li> <li>app-server1.prod</li> <li>app-server1.dev</li> <li>billing.internal</li> <li>router.internal</li> </ul> <p><img alt="ACL implementation example" src=../../images/headscale-acl-network.png></p> <p>When <a href=../../usage/getting-started/#register-a-node>registering the servers</a> we will need to add the flag <code>--advertise-tags=tag:&lt;tag1&gt;,tag:&lt;tag2&gt;</code>, and the user that is registering the server should be allowed to do it. Since anyone can add tags to a server they can register, the check of the tags is done on headscale server and only valid tags are applied. A tag is valid if the user that is registering it is allowed to do it.</p> <p>Here are the ACL's to implement the same permissions as above:</p> <div class="language-json highlight"><span class=filename>acl.json</span><pre><span></span><code><span id=__span-2-1><a id=__codelineno-2-1 name=__codelineno-2-1 href=#__codelineno-2-1></a><span class=p>{</span>
</span><span id=__span-2-2><a id=__codelineno-2-2 name=__codelineno-2-2 href=#__codelineno-2-2></a><span class=w> </span><span class=c1>// groups are collections of users having a common scope. A user can be in multiple groups</span>
</span><span id=__span-2-3><a id=__codelineno-2-3 name=__codelineno-2-3 href=#__codelineno-2-3></a><span class=w> </span><span class=c1>// groups cannot be composed of groups</span>
</span><span id=__span-2-4><a id=__codelineno-2-4 name=__codelineno-2-4 href=#__codelineno-2-4></a><span class=w> </span><span class=nt>&quot;groups&quot;</span><span class=p>:</span><span class=w> </span><span class=p>{</span>
</span><span id=__span-2-5><a id=__codelineno-2-5 name=__codelineno-2-5 href=#__codelineno-2-5></a><span class=w> </span><span class=nt>&quot;group:boss&quot;</span><span class=p>:</span><span class=w> </span><span class=p>[</span><span class=s2>&quot;boss@&quot;</span><span class=p>],</span>
</span><span id=__span-2-6><a id=__codelineno-2-6 name=__codelineno-2-6 href=#__codelineno-2-6></a><span class=w> </span><span class=nt>&quot;group:dev&quot;</span><span class=p>:</span><span class=w> </span><span class=p>[</span><span class=s2>&quot;dev1@&quot;</span><span class=p>,</span><span class=w> </span><span class=s2>&quot;dev2@&quot;</span><span class=p>],</span>
</span><span id=__span-2-7><a id=__codelineno-2-7 name=__codelineno-2-7 href=#__codelineno-2-7></a><span class=w> </span><span class=nt>&quot;group:admin&quot;</span><span class=p>:</span><span class=w> </span><span class=p>[</span><span class=s2>&quot;admin1@&quot;</span><span class=p>],</span>
</span><span id=__span-2-8><a id=__codelineno-2-8 name=__codelineno-2-8 href=#__codelineno-2-8></a><span class=w> </span><span class=nt>&quot;group:intern&quot;</span><span class=p>:</span><span class=w> </span><span class=p>[</span><span class=s2>&quot;intern1@&quot;</span><span class=p>]</span>
</span><span id=__span-2-9><a id=__codelineno-2-9 name=__codelineno-2-9 href=#__codelineno-2-9></a><span class=w> </span><span class=p>},</span>
</span><span id=__span-2-10><a id=__codelineno-2-10 name=__codelineno-2-10 href=#__codelineno-2-10></a><span class=w> </span><span class=c1>// tagOwners in tailscale is an association between a TAG and the people allowed to set this TAG on a server.</span>
</span><span id=__span-2-11><a id=__codelineno-2-11 name=__codelineno-2-11 href=#__codelineno-2-11></a><span class=w> </span><span class=c1>// This is documented [here](https://tailscale.com/kb/1068/acl-tags#defining-a-tag)</span>
</span><span id=__span-2-12><a id=__codelineno-2-12 name=__codelineno-2-12 href=#__codelineno-2-12></a><span class=w> </span><span class=c1>// and explained [here](https://tailscale.com/blog/rbac-like-it-was-meant-to-be/)</span>
</span><span id=__span-2-13><a id=__codelineno-2-13 name=__codelineno-2-13 href=#__codelineno-2-13></a><span class=w> </span><span class=nt>&quot;tagOwners&quot;</span><span class=p>:</span><span class=w> </span><span class=p>{</span>
</span><span id=__span-2-14><a id=__codelineno-2-14 name=__codelineno-2-14 href=#__codelineno-2-14></a><span class=w> </span><span class=c1>// the administrators can add servers in production</span>
</span><span id=__span-2-15><a id=__codelineno-2-15 name=__codelineno-2-15 href=#__codelineno-2-15></a><span class=w> </span><span class=nt>&quot;tag:prod-databases&quot;</span><span class=p>:</span><span class=w> </span><span class=p>[</span><span class=s2>&quot;group:admin&quot;</span><span class=p>],</span>
</span><span id=__span-2-16><a id=__codelineno-2-16 name=__codelineno-2-16 href=#__codelineno-2-16></a><span class=w> </span><span class=nt>&quot;tag:prod-app-servers&quot;</span><span class=p>:</span><span class=w> </span><span class=p>[</span><span class=s2>&quot;group:admin&quot;</span><span class=p>],</span>
</span><span id=__span-2-17><a id=__codelineno-2-17 name=__codelineno-2-17 href=#__codelineno-2-17></a>
</span><span id=__span-2-18><a id=__codelineno-2-18 name=__codelineno-2-18 href=#__codelineno-2-18></a><span class=w> </span><span class=c1>// the boss can tag any server as internal</span>
</span><span id=__span-2-19><a id=__codelineno-2-19 name=__codelineno-2-19 href=#__codelineno-2-19></a><span class=w> </span><span class=nt>&quot;tag:internal&quot;</span><span class=p>:</span><span class=w> </span><span class=p>[</span><span class=s2>&quot;group:boss&quot;</span><span class=p>],</span>
</span><span id=__span-2-20><a id=__codelineno-2-20 name=__codelineno-2-20 href=#__codelineno-2-20></a>
</span><span id=__span-2-21><a id=__codelineno-2-21 name=__codelineno-2-21 href=#__codelineno-2-21></a><span class=w> </span><span class=c1>// dev can add servers for dev purposes as well as admins</span>
</span><span id=__span-2-22><a id=__codelineno-2-22 name=__codelineno-2-22 href=#__codelineno-2-22></a><span class=w> </span><span class=nt>&quot;tag:dev-databases&quot;</span><span class=p>:</span><span class=w> </span><span class=p>[</span><span class=s2>&quot;group:admin&quot;</span><span class=p>,</span><span class=w> </span><span class=s2>&quot;group:dev&quot;</span><span class=p>],</span>
</span><span id=__span-2-23><a id=__codelineno-2-23 name=__codelineno-2-23 href=#__codelineno-2-23></a><span class=w> </span><span class=nt>&quot;tag:dev-app-servers&quot;</span><span class=p>:</span><span class=w> </span><span class=p>[</span><span class=s2>&quot;group:admin&quot;</span><span class=p>,</span><span class=w> </span><span class=s2>&quot;group:dev&quot;</span><span class=p>]</span>
</span><span id=__span-2-24><a id=__codelineno-2-24 name=__codelineno-2-24 href=#__codelineno-2-24></a>
</span><span id=__span-2-25><a id=__codelineno-2-25 name=__codelineno-2-25 href=#__codelineno-2-25></a><span class=w> </span><span class=c1>// interns cannot add servers</span>
</span><span id=__span-2-26><a id=__codelineno-2-26 name=__codelineno-2-26 href=#__codelineno-2-26></a><span class=w> </span><span class=p>},</span>
</span><span id=__span-2-27><a id=__codelineno-2-27 name=__codelineno-2-27 href=#__codelineno-2-27></a><span class=w> </span><span class=c1>// hosts should be defined using its IP addresses and a subnet mask.</span>
</span><span id=__span-2-28><a id=__codelineno-2-28 name=__codelineno-2-28 href=#__codelineno-2-28></a><span class=w> </span><span class=c1>// to define a single host, use a /32 mask. You cannot use DNS entries here,</span>
</span><span id=__span-2-29><a id=__codelineno-2-29 name=__codelineno-2-29 href=#__codelineno-2-29></a><span class=w> </span><span class=c1>// as they&#39;re prone to be hijacked by replacing their IP addresses.</span>
</span><span id=__span-2-30><a id=__codelineno-2-30 name=__codelineno-2-30 href=#__codelineno-2-30></a><span class=w> </span><span class=c1>// see https://github.com/tailscale/tailscale/issues/3800 for more information.</span>
</span><span id=__span-2-31><a id=__codelineno-2-31 name=__codelineno-2-31 href=#__codelineno-2-31></a><span class=w> </span><span class=nt>&quot;hosts&quot;</span><span class=p>:</span><span class=w> </span><span class=p>{</span>
</span><span id=__span-2-32><a id=__codelineno-2-32 name=__codelineno-2-32 href=#__codelineno-2-32></a><span class=w> </span><span class=nt>&quot;postgresql.internal&quot;</span><span class=p>:</span><span class=w> </span><span class=s2>&quot;10.20.0.2/32&quot;</span><span class=p>,</span>
</span><span id=__span-2-33><a id=__codelineno-2-33 name=__codelineno-2-33 href=#__codelineno-2-33></a><span class=w> </span><span class=nt>&quot;webservers.internal&quot;</span><span class=p>:</span><span class=w> </span><span class=s2>&quot;10.20.10.1/29&quot;</span>
</span><span id=__span-2-34><a id=__codelineno-2-34 name=__codelineno-2-34 href=#__codelineno-2-34></a><span class=w> </span><span class=p>},</span>
</span><span id=__span-2-35><a id=__codelineno-2-35 name=__codelineno-2-35 href=#__codelineno-2-35></a><span class=w> </span><span class=nt>&quot;acls&quot;</span><span class=p>:</span><span class=w> </span><span class=p>[</span>
</span><span id=__span-2-36><a id=__codelineno-2-36 name=__codelineno-2-36 href=#__codelineno-2-36></a><span class=w> </span><span class=c1>// boss have access to all servers</span>
</span><span id=__span-2-37><a id=__codelineno-2-37 name=__codelineno-2-37 href=#__codelineno-2-37></a><span class=w> </span><span class=p>{</span>
</span><span id=__span-2-38><a id=__codelineno-2-38 name=__codelineno-2-38 href=#__codelineno-2-38></a><span class=w> </span><span class=nt>&quot;action&quot;</span><span class=p>:</span><span class=w> </span><span class=s2>&quot;accept&quot;</span><span class=p>,</span>
</span><span id=__span-2-39><a id=__codelineno-2-39 name=__codelineno-2-39 href=#__codelineno-2-39></a><span class=w> </span><span class=nt>&quot;src&quot;</span><span class=p>:</span><span class=w> </span><span class=p>[</span><span class=s2>&quot;group:boss&quot;</span><span class=p>],</span>
</span><span id=__span-2-40><a id=__codelineno-2-40 name=__codelineno-2-40 href=#__codelineno-2-40></a><span class=w> </span><span class=nt>&quot;dst&quot;</span><span class=p>:</span><span class=w> </span><span class=p>[</span>
</span><span id=__span-2-41><a id=__codelineno-2-41 name=__codelineno-2-41 href=#__codelineno-2-41></a><span class=w> </span><span class=s2>&quot;tag:prod-databases:*&quot;</span><span class=p>,</span>
</span><span id=__span-2-42><a id=__codelineno-2-42 name=__codelineno-2-42 href=#__codelineno-2-42></a><span class=w> </span><span class=s2>&quot;tag:prod-app-servers:*&quot;</span><span class=p>,</span>
</span><span id=__span-2-43><a id=__codelineno-2-43 name=__codelineno-2-43 href=#__codelineno-2-43></a><span class=w> </span><span class=s2>&quot;tag:internal:*&quot;</span><span class=p>,</span>
</span><span id=__span-2-44><a id=__codelineno-2-44 name=__codelineno-2-44 href=#__codelineno-2-44></a><span class=w> </span><span class=s2>&quot;tag:dev-databases:*&quot;</span><span class=p>,</span>
</span><span id=__span-2-45><a id=__codelineno-2-45 name=__codelineno-2-45 href=#__codelineno-2-45></a><span class=w> </span><span class=s2>&quot;tag:dev-app-servers:*&quot;</span>
</span><span id=__span-2-46><a id=__codelineno-2-46 name=__codelineno-2-46 href=#__codelineno-2-46></a><span class=w> </span><span class=p>]</span>
</span><span id=__span-2-47><a id=__codelineno-2-47 name=__codelineno-2-47 href=#__codelineno-2-47></a><span class=w> </span><span class=p>},</span>
</span><span id=__span-2-48><a id=__codelineno-2-48 name=__codelineno-2-48 href=#__codelineno-2-48></a>
</span><span id=__span-2-49><a id=__codelineno-2-49 name=__codelineno-2-49 href=#__codelineno-2-49></a><span class=w> </span><span class=c1>// admin have only access to administrative ports of the servers, in tcp/22</span>
</span><span id=__span-2-50><a id=__codelineno-2-50 name=__codelineno-2-50 href=#__codelineno-2-50></a><span class=w> </span><span class=p>{</span>
</span><span id=__span-2-51><a id=__codelineno-2-51 name=__codelineno-2-51 href=#__codelineno-2-51></a><span class=w> </span><span class=nt>&quot;action&quot;</span><span class=p>:</span><span class=w> </span><span class=s2>&quot;accept&quot;</span><span class=p>,</span>
</span><span id=__span-2-52><a id=__codelineno-2-52 name=__codelineno-2-52 href=#__codelineno-2-52></a><span class=w> </span><span class=nt>&quot;src&quot;</span><span class=p>:</span><span class=w> </span><span class=p>[</span><span class=s2>&quot;group:admin&quot;</span><span class=p>],</span>
</span><span id=__span-2-53><a id=__codelineno-2-53 name=__codelineno-2-53 href=#__codelineno-2-53></a><span class=w> </span><span class=nt>&quot;proto&quot;</span><span class=p>:</span><span class=w> </span><span class=s2>&quot;tcp&quot;</span><span class=p>,</span>
</span><span id=__span-2-54><a id=__codelineno-2-54 name=__codelineno-2-54 href=#__codelineno-2-54></a><span class=w> </span><span class=nt>&quot;dst&quot;</span><span class=p>:</span><span class=w> </span><span class=p>[</span>
</span><span id=__span-2-55><a id=__codelineno-2-55 name=__codelineno-2-55 href=#__codelineno-2-55></a><span class=w> </span><span class=s2>&quot;tag:prod-databases:22&quot;</span><span class=p>,</span>
</span><span id=__span-2-56><a id=__codelineno-2-56 name=__codelineno-2-56 href=#__codelineno-2-56></a><span class=w> </span><span class=s2>&quot;tag:prod-app-servers:22&quot;</span><span class=p>,</span>
</span><span id=__span-2-57><a id=__codelineno-2-57 name=__codelineno-2-57 href=#__codelineno-2-57></a><span class=w> </span><span class=s2>&quot;tag:internal:22&quot;</span><span class=p>,</span>
</span><span id=__span-2-58><a id=__codelineno-2-58 name=__codelineno-2-58 href=#__codelineno-2-58></a><span class=w> </span><span class=s2>&quot;tag:dev-databases:22&quot;</span><span class=p>,</span>
</span><span id=__span-2-59><a id=__codelineno-2-59 name=__codelineno-2-59 href=#__codelineno-2-59></a><span class=w> </span><span class=s2>&quot;tag:dev-app-servers:22&quot;</span>
</span><span id=__span-2-60><a id=__codelineno-2-60 name=__codelineno-2-60 href=#__codelineno-2-60></a><span class=w> </span><span class=p>]</span>
</span><span id=__span-2-61><a id=__codelineno-2-61 name=__codelineno-2-61 href=#__codelineno-2-61></a><span class=w> </span><span class=p>},</span>
</span><span id=__span-2-62><a id=__codelineno-2-62 name=__codelineno-2-62 href=#__codelineno-2-62></a>
</span><span id=__span-2-63><a id=__codelineno-2-63 name=__codelineno-2-63 href=#__codelineno-2-63></a><span class=w> </span><span class=c1>// we also allow admin to ping the servers</span>
</span><span id=__span-2-64><a id=__codelineno-2-64 name=__codelineno-2-64 href=#__codelineno-2-64></a><span class=w> </span><span class=p>{</span>
</span><span id=__span-2-65><a id=__codelineno-2-65 name=__codelineno-2-65 href=#__codelineno-2-65></a><span class=w> </span><span class=nt>&quot;action&quot;</span><span class=p>:</span><span class=w> </span><span class=s2>&quot;accept&quot;</span><span class=p>,</span>
</span><span id=__span-2-66><a id=__codelineno-2-66 name=__codelineno-2-66 href=#__codelineno-2-66></a><span class=w> </span><span class=nt>&quot;src&quot;</span><span class=p>:</span><span class=w> </span><span class=p>[</span><span class=s2>&quot;group:admin&quot;</span><span class=p>],</span>
</span><span id=__span-2-67><a id=__codelineno-2-67 name=__codelineno-2-67 href=#__codelineno-2-67></a><span class=w> </span><span class=nt>&quot;proto&quot;</span><span class=p>:</span><span class=w> </span><span class=s2>&quot;icmp&quot;</span><span class=p>,</span>
</span><span id=__span-2-68><a id=__codelineno-2-68 name=__codelineno-2-68 href=#__codelineno-2-68></a><span class=w> </span><span class=nt>&quot;dst&quot;</span><span class=p>:</span><span class=w> </span><span class=p>[</span>
</span><span id=__span-2-69><a id=__codelineno-2-69 name=__codelineno-2-69 href=#__codelineno-2-69></a><span class=w> </span><span class=s2>&quot;tag:prod-databases:*&quot;</span><span class=p>,</span>
</span><span id=__span-2-70><a id=__codelineno-2-70 name=__codelineno-2-70 href=#__codelineno-2-70></a><span class=w> </span><span class=s2>&quot;tag:prod-app-servers:*&quot;</span><span class=p>,</span>
</span><span id=__span-2-71><a id=__codelineno-2-71 name=__codelineno-2-71 href=#__codelineno-2-71></a><span class=w> </span><span class=s2>&quot;tag:internal:*&quot;</span><span class=p>,</span>
</span><span id=__span-2-72><a id=__codelineno-2-72 name=__codelineno-2-72 href=#__codelineno-2-72></a><span class=w> </span><span class=s2>&quot;tag:dev-databases:*&quot;</span><span class=p>,</span>
</span><span id=__span-2-73><a id=__codelineno-2-73 name=__codelineno-2-73 href=#__codelineno-2-73></a><span class=w> </span><span class=s2>&quot;tag:dev-app-servers:*&quot;</span>
</span><span id=__span-2-74><a id=__codelineno-2-74 name=__codelineno-2-74 href=#__codelineno-2-74></a><span class=w> </span><span class=p>]</span>
</span><span id=__span-2-75><a id=__codelineno-2-75 name=__codelineno-2-75 href=#__codelineno-2-75></a><span class=w> </span><span class=p>},</span>
</span><span id=__span-2-76><a id=__codelineno-2-76 name=__codelineno-2-76 href=#__codelineno-2-76></a>
</span><span id=__span-2-77><a id=__codelineno-2-77 name=__codelineno-2-77 href=#__codelineno-2-77></a><span class=w> </span><span class=c1>// developers have access to databases servers and application servers on all ports</span>
</span><span id=__span-2-78><a id=__codelineno-2-78 name=__codelineno-2-78 href=#__codelineno-2-78></a><span class=w> </span><span class=c1>// they can only view the applications servers in prod and have no access to databases servers in production</span>
</span><span id=__span-2-79><a id=__codelineno-2-79 name=__codelineno-2-79 href=#__codelineno-2-79></a><span class=w> </span><span class=p>{</span>
</span><span id=__span-2-80><a id=__codelineno-2-80 name=__codelineno-2-80 href=#__codelineno-2-80></a><span class=w> </span><span class=nt>&quot;action&quot;</span><span class=p>:</span><span class=w> </span><span class=s2>&quot;accept&quot;</span><span class=p>,</span>
</span><span id=__span-2-81><a id=__codelineno-2-81 name=__codelineno-2-81 href=#__codelineno-2-81></a><span class=w> </span><span class=nt>&quot;src&quot;</span><span class=p>:</span><span class=w> </span><span class=p>[</span><span class=s2>&quot;group:dev&quot;</span><span class=p>],</span>
</span><span id=__span-2-82><a id=__codelineno-2-82 name=__codelineno-2-82 href=#__codelineno-2-82></a><span class=w> </span><span class=nt>&quot;dst&quot;</span><span class=p>:</span><span class=w> </span><span class=p>[</span>
</span><span id=__span-2-83><a id=__codelineno-2-83 name=__codelineno-2-83 href=#__codelineno-2-83></a><span class=w> </span><span class=s2>&quot;tag:dev-databases:*&quot;</span><span class=p>,</span>
</span><span id=__span-2-84><a id=__codelineno-2-84 name=__codelineno-2-84 href=#__codelineno-2-84></a><span class=w> </span><span class=s2>&quot;tag:dev-app-servers:*&quot;</span><span class=p>,</span>
</span><span id=__span-2-85><a id=__codelineno-2-85 name=__codelineno-2-85 href=#__codelineno-2-85></a><span class=w> </span><span class=s2>&quot;tag:prod-app-servers:80,443&quot;</span>
</span><span id=__span-2-86><a id=__codelineno-2-86 name=__codelineno-2-86 href=#__codelineno-2-86></a><span class=w> </span><span class=p>]</span>
</span><span id=__span-2-87><a id=__codelineno-2-87 name=__codelineno-2-87 href=#__codelineno-2-87></a><span class=w> </span><span class=p>},</span>
</span><span id=__span-2-88><a id=__codelineno-2-88 name=__codelineno-2-88 href=#__codelineno-2-88></a><span class=w> </span><span class=c1>// developers have access to the internal network through the router.</span>
</span><span id=__span-2-89><a id=__codelineno-2-89 name=__codelineno-2-89 href=#__codelineno-2-89></a><span class=w> </span><span class=c1>// the internal network is composed of HTTPS endpoints and Postgresql</span>
</span><span id=__span-2-90><a id=__codelineno-2-90 name=__codelineno-2-90 href=#__codelineno-2-90></a><span class=w> </span><span class=c1>// database servers.</span>
</span><span id=__span-2-91><a id=__codelineno-2-91 name=__codelineno-2-91 href=#__codelineno-2-91></a><span class=w> </span><span class=p>{</span>
</span><span id=__span-2-92><a id=__codelineno-2-92 name=__codelineno-2-92 href=#__codelineno-2-92></a><span class=w> </span><span class=nt>&quot;action&quot;</span><span class=p>:</span><span class=w> </span><span class=s2>&quot;accept&quot;</span><span class=p>,</span>
</span><span id=__span-2-93><a id=__codelineno-2-93 name=__codelineno-2-93 href=#__codelineno-2-93></a><span class=w> </span><span class=nt>&quot;src&quot;</span><span class=p>:</span><span class=w> </span><span class=p>[</span><span class=s2>&quot;group:dev&quot;</span><span class=p>],</span>
</span><span id=__span-2-94><a id=__codelineno-2-94 name=__codelineno-2-94 href=#__codelineno-2-94></a><span class=w> </span><span class=nt>&quot;dst&quot;</span><span class=p>:</span><span class=w> </span><span class=p>[</span><span class=s2>&quot;10.20.0.0/16:443,5432&quot;</span><span class=p>]</span>
</span><span id=__span-2-95><a id=__codelineno-2-95 name=__codelineno-2-95 href=#__codelineno-2-95></a><span class=w> </span><span class=p>},</span>
</span><span id=__span-2-96><a id=__codelineno-2-96 name=__codelineno-2-96 href=#__codelineno-2-96></a>
</span><span id=__span-2-97><a id=__codelineno-2-97 name=__codelineno-2-97 href=#__codelineno-2-97></a><span class=w> </span><span class=c1>// servers should be able to talk to database in tcp/5432. Database should not be able to initiate connections to</span>
</span><span id=__span-2-98><a id=__codelineno-2-98 name=__codelineno-2-98 href=#__codelineno-2-98></a><span class=w> </span><span class=c1>// applications servers</span>
</span><span id=__span-2-99><a id=__codelineno-2-99 name=__codelineno-2-99 href=#__codelineno-2-99></a><span class=w> </span><span class=p>{</span>
</span><span id=__span-2-100><a id=__codelineno-2-100 name=__codelineno-2-100 href=#__codelineno-2-100></a><span class=w> </span><span class=nt>&quot;action&quot;</span><span class=p>:</span><span class=w> </span><span class=s2>&quot;accept&quot;</span><span class=p>,</span>
</span><span id=__span-2-101><a id=__codelineno-2-101 name=__codelineno-2-101 href=#__codelineno-2-101></a><span class=w> </span><span class=nt>&quot;src&quot;</span><span class=p>:</span><span class=w> </span><span class=p>[</span><span class=s2>&quot;tag:dev-app-servers&quot;</span><span class=p>],</span>
</span><span id=__span-2-102><a id=__codelineno-2-102 name=__codelineno-2-102 href=#__codelineno-2-102></a><span class=w> </span><span class=nt>&quot;proto&quot;</span><span class=p>:</span><span class=w> </span><span class=s2>&quot;tcp&quot;</span><span class=p>,</span>
</span><span id=__span-2-103><a id=__codelineno-2-103 name=__codelineno-2-103 href=#__codelineno-2-103></a><span class=w> </span><span class=nt>&quot;dst&quot;</span><span class=p>:</span><span class=w> </span><span class=p>[</span><span class=s2>&quot;tag:dev-databases:5432&quot;</span><span class=p>]</span>
</span><span id=__span-2-104><a id=__codelineno-2-104 name=__codelineno-2-104 href=#__codelineno-2-104></a><span class=w> </span><span class=p>},</span>
</span><span id=__span-2-105><a id=__codelineno-2-105 name=__codelineno-2-105 href=#__codelineno-2-105></a><span class=w> </span><span class=p>{</span>
</span><span id=__span-2-106><a id=__codelineno-2-106 name=__codelineno-2-106 href=#__codelineno-2-106></a><span class=w> </span><span class=nt>&quot;action&quot;</span><span class=p>:</span><span class=w> </span><span class=s2>&quot;accept&quot;</span><span class=p>,</span>
</span><span id=__span-2-107><a id=__codelineno-2-107 name=__codelineno-2-107 href=#__codelineno-2-107></a><span class=w> </span><span class=nt>&quot;src&quot;</span><span class=p>:</span><span class=w> </span><span class=p>[</span><span class=s2>&quot;tag:prod-app-servers&quot;</span><span class=p>],</span>
</span><span id=__span-2-108><a id=__codelineno-2-108 name=__codelineno-2-108 href=#__codelineno-2-108></a><span class=w> </span><span class=nt>&quot;dst&quot;</span><span class=p>:</span><span class=w> </span><span class=p>[</span><span class=s2>&quot;tag:prod-databases:5432&quot;</span><span class=p>]</span>
</span><span id=__span-2-109><a id=__codelineno-2-109 name=__codelineno-2-109 href=#__codelineno-2-109></a><span class=w> </span><span class=p>},</span>
</span><span id=__span-2-110><a id=__codelineno-2-110 name=__codelineno-2-110 href=#__codelineno-2-110></a>
</span><span id=__span-2-111><a id=__codelineno-2-111 name=__codelineno-2-111 href=#__codelineno-2-111></a><span class=w> </span><span class=c1>// interns have access to dev-app-servers only in reading mode</span>
</span><span id=__span-2-112><a id=__codelineno-2-112 name=__codelineno-2-112 href=#__codelineno-2-112></a><span class=w> </span><span class=p>{</span>
</span><span id=__span-2-113><a id=__codelineno-2-113 name=__codelineno-2-113 href=#__codelineno-2-113></a><span class=w> </span><span class=nt>&quot;action&quot;</span><span class=p>:</span><span class=w> </span><span class=s2>&quot;accept&quot;</span><span class=p>,</span>
</span><span id=__span-2-114><a id=__codelineno-2-114 name=__codelineno-2-114 href=#__codelineno-2-114></a><span class=w> </span><span class=nt>&quot;src&quot;</span><span class=p>:</span><span class=w> </span><span class=p>[</span><span class=s2>&quot;group:intern&quot;</span><span class=p>],</span>
</span><span id=__span-2-115><a id=__codelineno-2-115 name=__codelineno-2-115 href=#__codelineno-2-115></a><span class=w> </span><span class=nt>&quot;dst&quot;</span><span class=p>:</span><span class=w> </span><span class=p>[</span><span class=s2>&quot;tag:dev-app-servers:80,443&quot;</span><span class=p>]</span>
</span><span id=__span-2-116><a id=__codelineno-2-116 name=__codelineno-2-116 href=#__codelineno-2-116></a><span class=w> </span><span class=p>},</span>
</span><span id=__span-2-117><a id=__codelineno-2-117 name=__codelineno-2-117 href=#__codelineno-2-117></a>
Deployed c2a58a30 to development with MkDocs 1.6.1 and mike 2.1.3
2025-10-16 11:00:30 +00:00
</span><span id=__span-2-118><a id=__codelineno-2-118 name=__codelineno-2-118 href=#__codelineno-2-118></a><span class=w> </span><span class=c1>// Allow users to access their own devices using autogroup:self (see below for more details about performance impact)</span>
</span><span id=__span-2-119><a id=__codelineno-2-119 name=__codelineno-2-119 href=#__codelineno-2-119></a><span class=w> </span><span class=p>{</span>
</span><span id=__span-2-120><a id=__codelineno-2-120 name=__codelineno-2-120 href=#__codelineno-2-120></a><span class=w> </span><span class=nt>&quot;action&quot;</span><span class=p>:</span><span class=w> </span><span class=s2>&quot;accept&quot;</span><span class=p>,</span>
</span><span id=__span-2-121><a id=__codelineno-2-121 name=__codelineno-2-121 href=#__codelineno-2-121></a><span class=w> </span><span class=nt>&quot;src&quot;</span><span class=p>:</span><span class=w> </span><span class=p>[</span><span class=s2>&quot;autogroup:member&quot;</span><span class=p>],</span>
</span><span id=__span-2-122><a id=__codelineno-2-122 name=__codelineno-2-122 href=#__codelineno-2-122></a><span class=w> </span><span class=nt>&quot;dst&quot;</span><span class=p>:</span><span class=w> </span><span class=p>[</span><span class=s2>&quot;autogroup:self:*&quot;</span><span class=p>]</span>
</span><span id=__span-2-123><a id=__codelineno-2-123 name=__codelineno-2-123 href=#__codelineno-2-123></a><span class=w> </span><span class=p>}</span>
</span><span id=__span-2-124><a id=__codelineno-2-124 name=__codelineno-2-124 href=#__codelineno-2-124></a><span class=w> </span><span class=p>]</span>
</span><span id=__span-2-125><a id=__codelineno-2-125 name=__codelineno-2-125 href=#__codelineno-2-125></a><span class=p>}</span>
Deployed 8becb7e5 to development with MkDocs 1.6.1 and mike 2.1.3
2025-10-21 12:29:17 +00:00
</span></code></pre></div> <h2 id=autogroups>Autogroups<a class=headerlink href=#autogroups title="Permanent link">&para;</a></h2> <p>Headscale supports several autogroups that automatically include users, destinations, or devices with specific properties. Autogroups provide a convenient way to write ACL rules without manually listing individual users or devices.</p> <h3 id=autogroupinternet><code>autogroup:internet</code><a class=headerlink href=#autogroupinternet title="Permanent link">&para;</a></h3> <p>Allows access to the internet through <a href=../routes/#exit-node>exit nodes</a>. Can only be used in ACL destinations.</p> <div class="language-json highlight"><pre><span></span><code><span id=__span-3-1><a id=__codelineno-3-1 name=__codelineno-3-1 href=#__codelineno-3-1></a><span class=p>{</span>
Deployed c2a58a30 to development with MkDocs 1.6.1 and mike 2.1.3
2025-10-16 11:00:30 +00:00
</span><span id=__span-3-2><a id=__codelineno-3-2 name=__codelineno-3-2 href=#__codelineno-3-2></a><span class=w> </span><span class=nt>&quot;action&quot;</span><span class=p>:</span><span class=w> </span><span class=s2>&quot;accept&quot;</span><span class=p>,</span>
</span><span id=__span-3-3><a id=__codelineno-3-3 name=__codelineno-3-3 href=#__codelineno-3-3></a><span class=w> </span><span class=nt>&quot;src&quot;</span><span class=p>:</span><span class=w> </span><span class=p>[</span><span class=s2>&quot;group:users&quot;</span><span class=p>],</span>
</span><span id=__span-3-4><a id=__codelineno-3-4 name=__codelineno-3-4 href=#__codelineno-3-4></a><span class=w> </span><span class=nt>&quot;dst&quot;</span><span class=p>:</span><span class=w> </span><span class=p>[</span><span class=s2>&quot;autogroup:internet:*&quot;</span><span class=p>]</span>
</span><span id=__span-3-5><a id=__codelineno-3-5 name=__codelineno-3-5 href=#__codelineno-3-5></a><span class=p>}</span>
</span></code></pre></div> <h3 id=autogroupmember><code>autogroup:member</code><a class=headerlink href=#autogroupmember title="Permanent link">&para;</a></h3> <p>Includes all users who are direct members of the tailnet. Does not include users from shared devices.</p> <div class="language-json highlight"><pre><span></span><code><span id=__span-4-1><a id=__codelineno-4-1 name=__codelineno-4-1 href=#__codelineno-4-1></a><span class=p>{</span>
</span><span id=__span-4-2><a id=__codelineno-4-2 name=__codelineno-4-2 href=#__codelineno-4-2></a><span class=w> </span><span class=nt>&quot;action&quot;</span><span class=p>:</span><span class=w> </span><span class=s2>&quot;accept&quot;</span><span class=p>,</span>
</span><span id=__span-4-3><a id=__codelineno-4-3 name=__codelineno-4-3 href=#__codelineno-4-3></a><span class=w> </span><span class=nt>&quot;src&quot;</span><span class=p>:</span><span class=w> </span><span class=p>[</span><span class=s2>&quot;autogroup:member&quot;</span><span class=p>],</span>
</span><span id=__span-4-4><a id=__codelineno-4-4 name=__codelineno-4-4 href=#__codelineno-4-4></a><span class=w> </span><span class=nt>&quot;dst&quot;</span><span class=p>:</span><span class=w> </span><span class=p>[</span><span class=s2>&quot;tag:prod-app-servers:80,443&quot;</span><span class=p>]</span>
</span><span id=__span-4-5><a id=__codelineno-4-5 name=__codelineno-4-5 href=#__codelineno-4-5></a><span class=p>}</span>
</span></code></pre></div> <h3 id=autogrouptagged><code>autogroup:tagged</code><a class=headerlink href=#autogrouptagged title="Permanent link">&para;</a></h3> <p>Includes all devices that have at least one tag.</p> <div class="language-json highlight"><pre><span></span><code><span id=__span-5-1><a id=__codelineno-5-1 name=__codelineno-5-1 href=#__codelineno-5-1></a><span class=p>{</span>
</span><span id=__span-5-2><a id=__codelineno-5-2 name=__codelineno-5-2 href=#__codelineno-5-2></a><span class=w> </span><span class=nt>&quot;action&quot;</span><span class=p>:</span><span class=w> </span><span class=s2>&quot;accept&quot;</span><span class=p>,</span>
</span><span id=__span-5-3><a id=__codelineno-5-3 name=__codelineno-5-3 href=#__codelineno-5-3></a><span class=w> </span><span class=nt>&quot;src&quot;</span><span class=p>:</span><span class=w> </span><span class=p>[</span><span class=s2>&quot;autogroup:tagged&quot;</span><span class=p>],</span>
</span><span id=__span-5-4><a id=__codelineno-5-4 name=__codelineno-5-4 href=#__codelineno-5-4></a><span class=w> </span><span class=nt>&quot;dst&quot;</span><span class=p>:</span><span class=w> </span><span class=p>[</span><span class=s2>&quot;tag:monitoring:9090&quot;</span><span class=p>]</span>
</span><span id=__span-5-5><a id=__codelineno-5-5 name=__codelineno-5-5 href=#__codelineno-5-5></a><span class=p>}</span>
</span></code></pre></div> <h3 id=autogroupself><code>autogroup:self</code><a class=headerlink href=#autogroupself title="Permanent link">&para;</a></h3> <p><strong>(EXPERIMENTAL)</strong></p> <div class="admonition warning"> <p class=admonition-title>The current implementation of <code>autogroup:self</code> is inefficient</p> </div> <p>Includes devices where the same user is authenticated on both the source and destination. Does not include tagged devices. Can only be used in ACL destinations.</p> <p><div class="language-json highlight"><pre><span></span><code><span id=__span-6-1><a id=__codelineno-6-1 name=__codelineno-6-1 href=#__codelineno-6-1></a><span class=p>{</span>
</span><span id=__span-6-2><a id=__codelineno-6-2 name=__codelineno-6-2 href=#__codelineno-6-2></a><span class=w> </span><span class=nt>&quot;action&quot;</span><span class=p>:</span><span class=w> </span><span class=s2>&quot;accept&quot;</span><span class=p>,</span>
</span><span id=__span-6-3><a id=__codelineno-6-3 name=__codelineno-6-3 href=#__codelineno-6-3></a><span class=w> </span><span class=nt>&quot;src&quot;</span><span class=p>:</span><span class=w> </span><span class=p>[</span><span class=s2>&quot;autogroup:member&quot;</span><span class=p>],</span>
</span><span id=__span-6-4><a id=__codelineno-6-4 name=__codelineno-6-4 href=#__codelineno-6-4></a><span class=w> </span><span class=nt>&quot;dst&quot;</span><span class=p>:</span><span class=w> </span><span class=p>[</span><span class=s2>&quot;autogroup:self:*&quot;</span><span class=p>]</span>
</span><span id=__span-6-5><a id=__codelineno-6-5 name=__codelineno-6-5 href=#__codelineno-6-5></a><span class=p>}</span>
Deployed 8becb7e5 to development with MkDocs 1.6.1 and mike 2.1.3
2025-10-21 12:29:17 +00:00
</span></code></pre></div> <em>Using <code>autogroup:self</code> may cause performance degradation on the Headscale coordinator server in large deployments, as filter rules must be compiled per-node rather than globally and the current implementation is not very efficient.</em></p> <p>If you experience performance issues, consider using more specific ACL rules or limiting the use of <code>autogroup:self</code>. <div class="language-json highlight"><pre><span></span><code><span id=__span-7-1><a id=__codelineno-7-1 name=__codelineno-7-1 href=#__codelineno-7-1></a><span class=p>{</span>
</span><span id=__span-7-2><a id=__codelineno-7-2 name=__codelineno-7-2 href=#__codelineno-7-2></a><span class=w> </span><span class=c1>// The following rules allow internal users to communicate with their</span>
</span><span id=__span-7-3><a id=__codelineno-7-3 name=__codelineno-7-3 href=#__codelineno-7-3></a><span class=w> </span><span class=c1>// own nodes in case autogroup:self is causing performance issues.</span>
</span><span id=__span-7-4><a id=__codelineno-7-4 name=__codelineno-7-4 href=#__codelineno-7-4></a><span class=w> </span><span class=p>{</span><span class=w> </span><span class=nt>&quot;action&quot;</span><span class=p>:</span><span class=w> </span><span class=s2>&quot;accept&quot;</span><span class=p>,</span><span class=w> </span><span class=nt>&quot;src&quot;</span><span class=p>:</span><span class=w> </span><span class=p>[</span><span class=s2>&quot;boss@&quot;</span><span class=p>],</span><span class=w> </span><span class=nt>&quot;dst&quot;</span><span class=p>:</span><span class=w> </span><span class=p>[</span><span class=s2>&quot;boss@:*&quot;</span><span class=p>]</span><span class=w> </span><span class=p>},</span>
</span><span id=__span-7-5><a id=__codelineno-7-5 name=__codelineno-7-5 href=#__codelineno-7-5></a><span class=w> </span><span class=p>{</span><span class=w> </span><span class=nt>&quot;action&quot;</span><span class=p>:</span><span class=w> </span><span class=s2>&quot;accept&quot;</span><span class=p>,</span><span class=w> </span><span class=nt>&quot;src&quot;</span><span class=p>:</span><span class=w> </span><span class=p>[</span><span class=s2>&quot;dev1@&quot;</span><span class=p>],</span><span class=w> </span><span class=nt>&quot;dst&quot;</span><span class=p>:</span><span class=w> </span><span class=p>[</span><span class=s2>&quot;dev1@:*&quot;</span><span class=p>]</span><span class=w> </span><span class=p>},</span>
</span><span id=__span-7-6><a id=__codelineno-7-6 name=__codelineno-7-6 href=#__codelineno-7-6></a><span class=w> </span><span class=p>{</span><span class=w> </span><span class=nt>&quot;action&quot;</span><span class=p>:</span><span class=w> </span><span class=s2>&quot;accept&quot;</span><span class=p>,</span><span class=w> </span><span class=nt>&quot;src&quot;</span><span class=p>:</span><span class=w> </span><span class=p>[</span><span class=s2>&quot;dev2@&quot;</span><span class=p>],</span><span class=w> </span><span class=nt>&quot;dst&quot;</span><span class=p>:</span><span class=w> </span><span class=p>[</span><span class=s2>&quot;dev2@:*&quot;</span><span class=p>]</span><span class=w> </span><span class=p>},</span>
</span><span id=__span-7-7><a id=__codelineno-7-7 name=__codelineno-7-7 href=#__codelineno-7-7></a><span class=w> </span><span class=p>{</span><span class=w> </span><span class=nt>&quot;action&quot;</span><span class=p>:</span><span class=w> </span><span class=s2>&quot;accept&quot;</span><span class=p>,</span><span class=w> </span><span class=nt>&quot;src&quot;</span><span class=p>:</span><span class=w> </span><span class=p>[</span><span class=s2>&quot;admin1@&quot;</span><span class=p>],</span><span class=w> </span><span class=nt>&quot;dst&quot;</span><span class=p>:</span><span class=w> </span><span class=p>[</span><span class=s2>&quot;admin1@:*&quot;</span><span class=p>]</span><span class=w> </span><span class=p>},</span>
</span><span id=__span-7-8><a id=__codelineno-7-8 name=__codelineno-7-8 href=#__codelineno-7-8></a><span class=w> </span><span class=p>{</span><span class=w> </span><span class=nt>&quot;action&quot;</span><span class=p>:</span><span class=w> </span><span class=s2>&quot;accept&quot;</span><span class=p>,</span><span class=w> </span><span class=nt>&quot;src&quot;</span><span class=p>:</span><span class=w> </span><span class=p>[</span><span class=s2>&quot;intern1@&quot;</span><span class=p>],</span><span class=w> </span><span class=nt>&quot;dst&quot;</span><span class=p>:</span><span class=w> </span><span class=p>[</span><span class=s2>&quot;intern1@:*&quot;</span><span class=p>]</span><span class=w> </span><span class=p>}</span>
</span><span id=__span-7-9><a id=__codelineno-7-9 name=__codelineno-7-9 href=#__codelineno-7-9></a><span class=p>}</span>
Deployed c2a58a30 to development with MkDocs 1.6.1 and mike 2.1.3
2025-10-16 11:00:30 +00:00
</span></code></pre></div></p> <h3 id=autogroupnonroot><code>autogroup:nonroot</code><a class=headerlink href=#autogroupnonroot title="Permanent link">&para;</a></h3> <p>Used in Tailscale SSH rules to allow access to any user except root. Can only be used in the <code>users</code> field of SSH rules.</p> <div class="language-json highlight"><pre><span></span><code><span id=__span-8-1><a id=__codelineno-8-1 name=__codelineno-8-1 href=#__codelineno-8-1></a><span class=p>{</span>
</span><span id=__span-8-2><a id=__codelineno-8-2 name=__codelineno-8-2 href=#__codelineno-8-2></a><span class=w> </span><span class=nt>&quot;action&quot;</span><span class=p>:</span><span class=w> </span><span class=s2>&quot;accept&quot;</span><span class=p>,</span>
</span><span id=__span-8-3><a id=__codelineno-8-3 name=__codelineno-8-3 href=#__codelineno-8-3></a><span class=w> </span><span class=nt>&quot;src&quot;</span><span class=p>:</span><span class=w> </span><span class=p>[</span><span class=s2>&quot;autogroup:member&quot;</span><span class=p>],</span>
</span><span id=__span-8-4><a id=__codelineno-8-4 name=__codelineno-8-4 href=#__codelineno-8-4></a><span class=w> </span><span class=nt>&quot;dst&quot;</span><span class=p>:</span><span class=w> </span><span class=p>[</span><span class=s2>&quot;autogroup:self&quot;</span><span class=p>],</span>
</span><span id=__span-8-5><a id=__codelineno-8-5 name=__codelineno-8-5 href=#__codelineno-8-5></a><span class=w> </span><span class=nt>&quot;users&quot;</span><span class=p>:</span><span class=w> </span><span class=p>[</span><span class=s2>&quot;autogroup:nonroot&quot;</span><span class=p>]</span>
</span><span id=__span-8-6><a id=__codelineno-8-6 name=__codelineno-8-6 href=#__codelineno-8-6></a><span class=p>}</span>
Deployed abed5346 to development with MkDocs 1.6.1 and mike 2.1.3
2025-11-11 10:52:12 +00:00
</span></code></pre></div> </article> </div> <script>var target=document.getElementById(location.hash.slice(1));target&&target.name&&(target.checked=target.name.startsWith("__tabbed_"))</script> </div> <button type=button class="md-top md-icon" data-md-component=top hidden> <svg xmlns=http://www.w3.org/2000/svg viewbox="0 0 24 24"><path d="M13 20h-2V8l-5.5 5.5-1.42-1.42L12 4.16l7.92 7.92-1.42 1.42L13 8z"/></svg> Back to top </button> </main> <footer class=md-footer> <nav class="md-footer__inner md-grid" aria-label=Footer> <a href=../tls/ class="md-footer__link md-footer__link--prev" aria-label="Previous: TLS"> <div class="md-footer__button md-icon"> <svg xmlns=http://www.w3.org/2000/svg viewbox="0 0 24 24"><path d="M20 11v2H8l5.5 5.5-1.42 1.42L4.16 12l7.92-7.92L13.5 5.5 8 11z"/></svg> </div> <div class=md-footer__title> <span class=md-footer__direction> Previous </span> <div class=md-ellipsis> TLS </div> </div> </a> <a href=../dns/ class="md-footer__link md-footer__link--next" aria-label="Next: DNS"> <div class=md-footer__title> <span class=md-footer__direction> Next </span> <div class=md-ellipsis> DNS </div> </div> <div class="md-footer__button md-icon"> <svg xmlns=http://www.w3.org/2000/svg viewbox="0 0 24 24"><path d="M4 11v2h12l-5.5 5.5 1.42 1.42L19.84 12l-7.92-7.92L10.5 5.5 16 11z"/></svg> </div> </a> </nav> <div class="md-footer-meta md-typeset"> <div class="md-footer-meta__inner md-grid"> <div class=md-copyright> <div class=md-copyright__highlight> Copyright &copy; 2025 Headscale authors </div> Made with <a href=https://squidfunk.github.io/mkdocs-material/ target=_blank rel=noopener> Material for MkDocs </a> </div> <div class=md-social> <a href=https://github.com/juanfont/headscale target=_blank rel=noopener title=github.com class=md-social__link> <svg xmlns=http://www.w3.org/2000/svg viewbox="0 0 512 512"><!-- Font Awesome Free 7.1.0 by @fontawesome - https://fontawesome.com License - https://fontawesome.com/license/free (Icons: CC BY 4.0, Fonts: SIL OFL 1.1, Code: MIT License) Copyright 2025 Fonticons, Inc.--><path d="M173.9 397.4c0 2-2.3 3.6-5.2 3.6-3.3.3-5.6-1.3-5.6-3.6 0-2 2.3-3.6 5.2-3.6 3-.3 5.6 1.3 5.6 3.6m-31.1-4.5c-.7 2 1.3 4.3 4.3 4.9 2.6 1 5.6 0 6.2-2s-1.3-4.3-4.3-5.2c-2.6-.7-5.5.3-6.2 2.3m44.2-1.7c-2.9.7-4.9 2.6-4.6 4.9.3 2 2.9 3.3 5.9 2.6 2.9-.7 4.9-2.6 4.6-4.6-.3-1.9-3-3.2-5.9-2.9M252.8 8C114.1 8 8 113.3 8 252c0 110.9 69.8 205.8 169.5 239.2 12.8 2.3 17.3-5.6 17.3-12.1 0-6.2-.3-40.4-.3-61.4 0 0-70 15-84.7-29.8 0 0-11.4-29.1-27.8-36.6 0 0-22.9-15.7 1.6-15.4 0 0 24.9 2 38.6 25.8 21.9 38.6 58.6 27.5 72.9 20.9 2.3-16 8.8-27.1 16-33.7-55.9-6.2-112.3-14.3-112.3-110.5 0-27.5 7.6-41.3 23.6-58.9-2.6-6.5-11.1-33.3 2.6-67.9 20.9-6.5 69 27 69 27 20-5.6 41.5-8.5 62.8-8.5s42.8 2.9 62.8 8.5c0 0 48.1-33.6 69-27 13.7 34.7 5.2 61.4 2.6 67.9 16 17.7 25.8 31.5 25.8 58.9 0 96.5-58.9 104.2-114.8 110.5 9.2 7.9 17 22.9 17 46.4 0 33.7-.3 75.4-.3 83.6 0 6.5 4.6 14.4 17.3 12.1C436.2 457.8 504 362.9 504 252 504 113.3 391.5 8 252.8 8M105.2 352.9c-1.3 1-1 3.3.7 5.2 1.6 1.6 3.9 2.3 5.2 1 1.3-1 1-3.3-.7-5.2-1.6-1.6-3.9-2.3-5.2-1m-10.8-8.1c-.7 1.3.3 2.9 2.3 3.9 1.6 1 3.6.7 4.3-.7.7-1.3-.3-2.9-2.3-3.9-2-.6-3.6-.3-4.3.7m32.4 35.6c-1.6 1.3-1 4.3 1.3 6.2 2.3 2.3 5.2 2.6 6.5 1 1.3-1.3.7-4.3-1.3-6.2-2.2-2.3-5.2-2.6-6.5-1m-11.4-14.7c-1.6 1-1.6 3.6 0 5.9s4.3 3.3 5.6 2.3c1.6-1.3 1.6-3.9 0-6.2-1.4-2.3-4-3.3-5.6-2"/></svg> </a> <a href=https://ko-fi.com/headscale target=_blank rel=noopener title=ko-fi.com class=md-social__link> <svg xmlns=http://www.w3.org/2000/svg viewbox="0 0 24 24"><path d="M2 21h18v-2H2M20 8h-2V5h2m0-2H4v10a4 4 0 0 0 4 4h6a4 4 0 0 0 4-4v-3h2a2 2 0 0 0 2-2V5a2 2 0 0 0-2-2"/></svg> </a> <a href=https://github.com/juanfont/headscale/pkgs/container/headscale target=_blank rel=noopener title=github.com class=md-social__link> <svg xmlns=http://www.w3.org/2000/svg viewbox="0 0 640 512"><!-- Font Awesome Free 7.1.0 by @fontawesome - https://fontawesome.com License - https://fontawesome.com/license/free (Icons: CC BY 4.0, Fonts: SIL OFL 1.1, Code: MIT License) Copyright 2025 Fonticons, Inc.--><path d="M349.9 236.3h-66.1v-59.4h66.1
Reference in New Issue Copy Permalink