headscale/docs/ref/acls.md

Headscale implements the same policy ACLs as Tailscale.com, adapted to the self-hosted environment.

For instance, instead of referring to users when defining groups you must
use users (which are the equivalent to user/logins in Tailscale.com).

Please check https://tailscale.com/kb/1018/acls/ for further information.

When using ACL's the User borders are no longer applied. All machines
whichever the User have the ability to communicate with other hosts as
long as the ACL's permits this exchange.

## ACL Setup

To enable and configure ACLs in Headscale, you need to specify the path to your ACL policy file in the `policy.path` key in `config.yaml`.

Your ACL policy file must be formatted using [huJSON](https://github.com/tailscale/hujson).

Info on how these policies are written can be found
[here](https://tailscale.com/kb/1018/acls/).

Please reload or restart Headscale after updating the ACL file. Headscale may be reloaded either via its systemd service
(`sudo systemctl reload headscale`) or by sending a SIGHUP signal (`sudo kill -HUP $(pidof headscale)`) to the main
process. Headscale logs the result of ACL policy processing after each reload.

## Simple Examples

- [**Allow All**](https://tailscale.com/kb/1192/acl-samples#allow-all-default-acl): If you define an ACL file but completely omit the `"acls"` field from its content, Headscale will default to an "allow all" policy. This means all devices connected to your tailnet will be able to communicate freely with each other.

    ```json
    {}
    ```

- [**Deny All**](https://tailscale.com/kb/1192/acl-samples#deny-all): To prevent all communication within your tailnet, you can include an empty array for the `"acls"` field in your policy file.

    ```json
    {
      "acls": []
    }
    ```

## Complex Example

Let's build a more complex example use case for a small business (It may be the place where
ACL's are the most useful).

We have a small company with a boss, an admin, two developers and an intern.

The boss should have access to all servers but not to the user's hosts. Admin
should also have access to all hosts except that their permissions should be
limited to maintaining the hosts (for example purposes). The developers can do
anything they want on dev hosts but only watch on productions hosts. Intern
can only interact with the development servers.

There's an additional server that acts as a router, connecting the VPN users
to an internal network `10.20.0.0/16`. Developers must have access to those
internal resources.

Each user have at least a device connected to the network and we have some
servers.

- database.prod
- database.dev
- app-server1.prod
- app-server1.dev
- billing.internal
- router.internal

![ACL implementation example](../images/headscale-acl-network.png)

When [registering the servers](../usage/getting-started.md#register-a-node) we
will need to add the flag `--advertise-tags=tag:<tag1>,tag:<tag2>`, and the user
that is registering the server should be allowed to do it. Since anyone can add
tags to a server they can register, the check of the tags is done on headscale
server and only valid tags are applied. A tag is valid if the user that is
registering it is allowed to do it.

Here are the ACL's to implement the same permissions as above:

```json title="acl.json"
{
  // groups are collections of users having a common scope. A user can be in multiple groups
  // groups cannot be composed of groups
  "groups": {
    "group:boss": ["boss@"],
    "group:dev": ["dev1@", "dev2@"],
    "group:admin": ["admin1@"],
    "group:intern": ["intern1@"]
  },
  // tagOwners in tailscale is an association between a TAG and the people allowed to set this TAG on a server.
  // This is documented [here](https://tailscale.com/kb/1068/acl-tags#defining-a-tag)
  // and explained [here](https://tailscale.com/blog/rbac-like-it-was-meant-to-be/)
  "tagOwners": {
    // the administrators can add servers in production
    "tag:prod-databases": ["group:admin"],
    "tag:prod-app-servers": ["group:admin"],

    // the boss can tag any server as internal
    "tag:internal": ["group:boss"],

    // dev can add servers for dev purposes as well as admins
    "tag:dev-databases": ["group:admin", "group:dev"],
    "tag:dev-app-servers": ["group:admin", "group:dev"]

    // interns cannot add servers
  },
  // hosts should be defined using its IP addresses and a subnet mask.
  // to define a single host, use a /32 mask. You cannot use DNS entries here,
  // as they're prone to be hijacked by replacing their IP addresses.
  // see https://github.com/tailscale/tailscale/issues/3800 for more information.
  "hosts": {
    "postgresql.internal": "10.20.0.2/32",
    "webservers.internal": "10.20.10.1/29"
  },
  "acls": [
    // boss have access to all servers
    {
      "action": "accept",
      "src": ["group:boss"],
      "dst": [
        "tag:prod-databases:*",
        "tag:prod-app-servers:*",
        "tag:internal:*",
        "tag:dev-databases:*",
        "tag:dev-app-servers:*"
      ]
    },

    // admin have only access to administrative ports of the servers, in tcp/22
    {
      "action": "accept",
      "src": ["group:admin"],
      "proto": "tcp",
      "dst": [
        "tag:prod-databases:22",
        "tag:prod-app-servers:22",
        "tag:internal:22",
        "tag:dev-databases:22",
        "tag:dev-app-servers:22"
      ]
    },

    // we also allow admin to ping the servers
    {
      "action": "accept",
      "src": ["group:admin"],
      "proto": "icmp",
      "dst": [
        "tag:prod-databases:*",
        "tag:prod-app-servers:*",
        "tag:internal:*",
        "tag:dev-databases:*",
        "tag:dev-app-servers:*"
      ]
    },

    // developers have access to databases servers and application servers on all ports
    // they can only view the applications servers in prod and have no access to databases servers in production
    {
      "action": "accept",
      "src": ["group:dev"],
      "dst": [
        "tag:dev-databases:*",
        "tag:dev-app-servers:*",
        "tag:prod-app-servers:80,443"
      ]
    },
    // developers have access to the internal network through the router.
    // the internal network is composed of HTTPS endpoints and Postgresql
    // database servers.
    {
      "action": "accept",
      "src": ["group:dev"],
      "dst": ["10.20.0.0/16:443,5432"]
    },

    // servers should be able to talk to database in tcp/5432. Database should not be able to initiate connections to
    // applications servers
    {
      "action": "accept",
      "src": ["tag:dev-app-servers"],
      "proto": "tcp",
      "dst": ["tag:dev-databases:5432"]
    },
    {
      "action": "accept",
      "src": ["tag:prod-app-servers"],
      "dst": ["tag:prod-databases:5432"]
    },

    // interns have access to dev-app-servers only in reading mode
    {
      "action": "accept",
      "src": ["group:intern"],
      "dst": ["tag:dev-app-servers:80,443"]
    },

    // Allow users to access their own devices using autogroup:self (see below for more details about performance impact)
    {
      "action": "accept",
      "src": ["autogroup:member"],
      "dst": ["autogroup:self:*"]
    }
  ]
}
```

## Autogroups

Headscale supports several autogroups that automatically include users, destinations, or devices with specific properties. Autogroups provide a convenient way to write ACL rules without manually listing individual users or devices.

### `autogroup:internet`

Allows access to the internet through [exit nodes](routes.md#exit-node). Can only be used in ACL destinations.  

```json
{
  "action": "accept",
  "src": ["group:users"],
  "dst": ["autogroup:internet:*"]
}
```

### `autogroup:member`

Includes all users who are direct members of the tailnet. Does not include users from shared devices.

```json
{
  "action": "accept",
  "src": ["autogroup:member"],
  "dst": ["tag:prod-app-servers:80,443"]
}
```

### `autogroup:tagged`

Includes all devices that have at least one tag.

```json
{
  "action": "accept",
  "src": ["autogroup:tagged"],
  "dst": ["tag:monitoring:9090"]
}
```

### `autogroup:self` 
**(EXPERIMENTAL)**

!!! warning "The current implementation of `autogroup:self` is inefficient"  

Includes devices where the same user is authenticated on both the source and destination. Does not include tagged devices. Can only be used in ACL destinations.

```json
{
  "action": "accept",
  "src": ["autogroup:member"],
  "dst": ["autogroup:self:*"]
}
```
*Using `autogroup:self` may cause performance degradation on the Headscale coordinator server in large deployments, as filter rules must be compiled per-node rather than globally and the current implementation is not very efficient.*

If you experience performance issues, consider using more specific ACL rules or limiting the use of `autogroup:self`.  
```json    
{
// To allow internal users communications to their own nodes we can do following rules to allow access in case autogroup:self is causing performance issues.
{ "action": "accept", "src": ["boss@"], "dst": ["boss@:"] },
{ "action": "accept", "src": ["dev1@"], "dst": ["dev1@:*"] },
{ "action": "accept", "src": ["dev2@"], "dst": ["dev2@:"] },
{ "action": "accept", "src": ["admin1@"], "dst": ["admin1@:"] },
{ "action": "accept", "src": ["intern1@"], "dst": ["intern1@:"] }
}
```

### `autogroup:nonroot`

Used in Tailscale SSH rules to allow access to any user except root. Can only be used in the `users` field of SSH rules.

```json
{
  "action": "accept",
  "src": ["autogroup:member"],
  "dst": ["autogroup:self"],
  "users": ["autogroup:nonroot"]
}
```
Move admonitions to relevant sections 2023-03-27 20:51:14 +03:00			`Headscale implements the same policy ACLs as Tailscale.com, adapted to the self-hosted environment.`

			`For instance, instead of referring to users when defining groups you must`
			`use users (which are the equivalent to user/logins in Tailscale.com).`

Remove references to tests/acls from the documentation (#2088) 2024-09-01 15:09:47 +02:00			`Please check https://tailscale.com/kb/1018/acls/ for further information.`
Move admonitions to relevant sections 2023-03-27 20:51:14 +03:00
			`When using ACL's the User borders are no longer applied. All machines`
			`whichever the User have the ability to communicate with other hosts as`
			`long as the ACL's permits this exchange.`

docs(acls): Add example for allow/deny all acl policy 2025-08-18 10:24:57 +01:00			`## ACL Setup`
docs(acl): add configuration example to explain acls 2022-02-14 13:54:44 +01:00
docs(acls): Add example for allow/deny all acl policy 2025-08-18 10:24:57 +01:00			To enable and configure ACLs in Headscale, you need to specify the path to your ACL policy file in the `policy.path` key in `config.yaml`.

			`Your ACL policy file must be formatted using [huJSON](https://github.com/tailscale/hujson).`

			`Info on how these policies are written can be found`
			`[here](https://tailscale.com/kb/1018/acls/).`

			`Please reload or restart Headscale after updating the ACL file. Headscale may be reloaded either via its systemd service`
			(`sudo systemctl reload headscale`) or by sending a SIGHUP signal (`sudo kill -HUP $(pidof headscale)`) to the main
			`process. Headscale logs the result of ACL policy processing after each reload.`

			`## Simple Examples`

			- [Allow All](https://tailscale.com/kb/1192/acl-samples#allow-all-default-acl): If you define an ACL file but completely omit the `"acls"` field from its content, Headscale will default to an "allow all" policy. This means all devices connected to your tailnet will be able to communicate freely with each other.

			```json
			`{}`
			```

			- [Deny All](https://tailscale.com/kb/1192/acl-samples#deny-all): To prevent all communication within your tailnet, you can include an empty array for the `"acls"` field in your policy file.

			```json
			`{`
			`"acls": []`
			`}`
			```

			`## Complex Example`

			`Let's build a more complex example use case for a small business (It may be the place where`
docs(acl): add configuration example to explain acls 2022-02-14 13:54:44 +01:00			`ACL's are the most useful).`

			`We have a small company with a boss, an admin, two developers and an intern.`

Docs/ACLs: Wording, add intermediary router example 2022-03-17 19:23:37 -03:00			`The boss should have access to all servers but not to the user's hosts. Admin`
docs(acl): add configuration example to explain acls 2022-02-14 13:54:44 +01:00			`should also have access to all hosts except that their permissions should be`
			`limited to maintaining the hosts (for example purposes). The developers can do`
Docs/ACLs: Wording, add intermediary router example 2022-03-17 19:23:37 -03:00			`anything they want on dev hosts but only watch on productions hosts. Intern`
docs(acl): add configuration example to explain acls 2022-02-14 13:54:44 +01:00			`can only interact with the development servers.`

Docs/ACLs: Wording, add intermediary router example 2022-03-17 19:23:37 -03:00			`There's an additional server that acts as a router, connecting the VPN users`
Docs/ACLs: Add router examples with subnets 2022-03-17 19:58:34 -03:00			to an internal network `10.20.0.0/16`. Developers must have access to those
			`internal resources.`
Docs/ACLs: Wording, add intermediary router example 2022-03-17 19:23:37 -03:00
docs(acl): add configuration example to explain acls 2022-02-14 13:54:44 +01:00			`Each user have at least a device connected to the network and we have some`
			`servers.`

			`- database.prod`
			`- database.dev`
			`- app-server1.prod`
			`- app-server1.dev`
			`- billing.internal`
Docs/ACLs: Wording, add intermediary router example 2022-03-17 19:23:37 -03:00			`- router.internal`
docs(acl): add configuration example to explain acls 2022-02-14 13:54:44 +01:00
Restructure headscale documentation (#2163) * Setup mkdocs-redirects * Restructure existing documentation * Move client OS support into the documentation * Move existing Client OS support table into its own documentation page * Link from README.md to the rendered documentation * Document minimum Tailscale client version * Reuse CONTRIBUTING.md" in the documentation * Include "CONTRIBUTING.md" from the repository root * Update FAQ and index page and link to the contributing docs * Add configuration reference * Add a getting started page and explain the first steps with headscale * Use the existing "Using headscale" sections and combine them into a single getting started guide with a little bit more explanation. * Explain how to get help from the command line client. * Remove duplicated sections from existing installation guides * Document requirements and assumptions * Document packages provided by the community * Move deb install guide to official releases * Move manual install guide to official releases * Move container documentation to setup section * Move sealos documentation to cloud install page * Move OpenBSD docs to build from source * Simplify DNS documentation * Add sponsor page * Add releases page * Add features page * Add help page * Add upgrading page * Adjust mkdocs nav * Update wording Use the term headscale for the project, Headscale on the beginning of a sentence and `headscale` when refering to the CLI. * Welcome to headscale * Link to existing documentation in the FAQ * Remove the goal header and use the text as opener * Indent code block in OIDC * Make a few pages linter compatible Also update ignored files for prettier * Recommend HTTPS on port 443 Fixes: #2164 * Use hosts in acl documentation thx @efficacy38 for noticing this Ref: #1863 * Use mkdocs-macros to set headscale version once 2024-10-10 15:24:04 +02:00			`![ACL implementation example](../images/headscale-acl-network.png)`
docs(acl): add configuration example to explain acls 2022-02-14 13:54:44 +01:00
Misc doc fixes (#2240) * Link back to node registration docs * adjust wording in apple docs * Mention client specific page to check if headscale works Ref: #2238 2024-11-18 05:46:58 +01:00			`When [registering the servers](../usage/getting-started.md#register-a-node) we`
			will need to add the flag `--advertise-tags=tag:<tag1>,tag:<tag2>`, and the user
			`that is registering the server should be allowed to do it. Since anyone can add`
			`tags to a server they can register, the check of the tags is done on headscale`
			`server and only valid tags are applied. A tag is valid if the user that is`
docs(acl): add configuration example to explain acls 2022-02-14 13:54:44 +01:00			`registering it is allowed to do it.`

			`Here are the ACL's to implement the same permissions as above:`

Set title for code listings 2024-12-17 07:30:21 +01:00			```json title="acl.json"
docs(acl): add configuration example to explain acls 2022-02-14 13:54:44 +01:00			`{`
chore(fmt): apply make fmt command 2022-02-14 15:54:51 +01:00			`// groups are collections of users having a common scope. A user can be in multiple groups`
			`// groups cannot be composed of groups`
			`"groups": {`
Misc doc fixes (#2562) * Link to stable and development docs in the README * Add Tailscale SSH and autogroup:nonroot to features page * Use @ when referencing users in policy * Remove unmaintained headscale-webui The project seems to be unmaintained (last commit: 2023-05-08) and it only supports Headscale 0.22 or earlier. * Use full image URL in container docs This makes it easy to switch the container runtime from docker <-> podman. * Remove version from docker-compose.yml example This is now deprecated and yields a warning. 2025-05-04 21:55:08 +02:00			`"group:boss": ["boss@"],`
			`"group:dev": ["dev1@", "dev2@"],`
			`"group:admin": ["admin1@"],`
			`"group:intern": ["intern1@"]`
chore(fmt): apply make fmt command 2022-02-14 15:54:51 +01:00			`},`
			`// tagOwners in tailscale is an association between a TAG and the people allowed to set this TAG on a server.`
			`// This is documented [here](https://tailscale.com/kb/1068/acl-tags#defining-a-tag)`
			`// and explained [here](https://tailscale.com/blog/rbac-like-it-was-meant-to-be/)`
			`"tagOwners": {`
			`// the administrators can add servers in production`
			`"tag:prod-databases": ["group:admin"],`
			`"tag:prod-app-servers": ["group:admin"],`

			`// the boss can tag any server as internal`
			`"tag:internal": ["group:boss"],`

			`// dev can add servers for dev purposes as well as admins`
			`"tag:dev-databases": ["group:admin", "group:dev"],`
			`"tag:dev-app-servers": ["group:admin", "group:dev"]`

			`// interns cannot add servers`
			`},`
Docs/ACLs: Add router examples with subnets 2022-03-17 19:58:34 -03:00			`// hosts should be defined using its IP addresses and a subnet mask.`
			`// to define a single host, use a /32 mask. You cannot use DNS entries here,`
			`// as they're prone to be hijacked by replacing their IP addresses.`
			`// see https://github.com/tailscale/tailscale/issues/3800 for more information.`
Restructure headscale documentation (#2163) * Setup mkdocs-redirects * Restructure existing documentation * Move client OS support into the documentation * Move existing Client OS support table into its own documentation page * Link from README.md to the rendered documentation * Document minimum Tailscale client version * Reuse CONTRIBUTING.md" in the documentation * Include "CONTRIBUTING.md" from the repository root * Update FAQ and index page and link to the contributing docs * Add configuration reference * Add a getting started page and explain the first steps with headscale * Use the existing "Using headscale" sections and combine them into a single getting started guide with a little bit more explanation. * Explain how to get help from the command line client. * Remove duplicated sections from existing installation guides * Document requirements and assumptions * Document packages provided by the community * Move deb install guide to official releases * Move manual install guide to official releases * Move container documentation to setup section * Move sealos documentation to cloud install page * Move OpenBSD docs to build from source * Simplify DNS documentation * Add sponsor page * Add releases page * Add features page * Add help page * Add upgrading page * Adjust mkdocs nav * Update wording Use the term headscale for the project, Headscale on the beginning of a sentence and `headscale` when refering to the CLI. * Welcome to headscale * Link to existing documentation in the FAQ * Remove the goal header and use the text as opener * Indent code block in OIDC * Make a few pages linter compatible Also update ignored files for prettier * Recommend HTTPS on port 443 Fixes: #2164 * Use hosts in acl documentation thx @efficacy38 for noticing this Ref: #1863 * Use mkdocs-macros to set headscale version once 2024-10-10 15:24:04 +02:00			`"hosts": {`
Docs/ACLs: Add router examples with subnets 2022-03-17 19:58:34 -03:00			`"postgresql.internal": "10.20.0.2/32",`
			`"webservers.internal": "10.20.10.1/29"`
			`},`
chore(fmt): apply make fmt command 2022-02-14 15:54:51 +01:00			`"acls": [`
			`// boss have access to all servers`
			`{`
			`"action": "accept",`
Update internal docs to the new syntax 2022-06-08 18:12:47 +02:00			`"src": ["group:boss"],`
			`"dst": [`
chore(fmt): apply make fmt command 2022-02-14 15:54:51 +01:00			`"tag:prod-databases:*",`
			`"tag:prod-app-servers:*",`
			`"tag:internal:*",`
			`"tag:dev-databases:*",`
			`"tag:dev-app-servers:*"`
			`]`
			`},`

Update internal docs with protocol usage 2022-06-08 18:15:38 +02:00			`// admin have only access to administrative ports of the servers, in tcp/22`
chore(fmt): apply make fmt command 2022-02-14 15:54:51 +01:00			`{`
			`"action": "accept",`
Update internal docs to the new syntax 2022-06-08 18:12:47 +02:00			`"src": ["group:admin"],`
Update internal docs with protocol usage 2022-06-08 18:15:38 +02:00			`"proto": "tcp",`
Update internal docs to the new syntax 2022-06-08 18:12:47 +02:00			`"dst": [`
chore(fmt): apply make fmt command 2022-02-14 15:54:51 +01:00			`"tag:prod-databases:22",`
			`"tag:prod-app-servers:22",`
			`"tag:internal:22",`
			`"tag:dev-databases:22",`
			`"tag:dev-app-servers:22"`
			`]`
docs(acl): add configuration example to explain acls 2022-02-14 13:54:44 +01:00			`},`
chore(fmt): apply make fmt command 2022-02-14 15:54:51 +01:00
Update internal docs with protocol usage 2022-06-08 18:15:38 +02:00			`// we also allow admin to ping the servers`
			`{`
			`"action": "accept",`
			`"src": ["group:admin"],`
			`"proto": "icmp",`
			`"dst": [`
			`"tag:prod-databases:*",`
			`"tag:prod-app-servers:*",`
			`"tag:internal:*",`
			`"tag:dev-databases:*",`
			`"tag:dev-app-servers:*"`
			`]`
			`},`

chore(fmt): apply make fmt command 2022-02-14 15:54:51 +01:00			`// developers have access to databases servers and application servers on all ports`
			`// they can only view the applications servers in prod and have no access to databases servers in production`
			`{`
			`"action": "accept",`
Update internal docs to the new syntax 2022-06-08 18:12:47 +02:00			`"src": ["group:dev"],`
			`"dst": [`
chore(fmt): apply make fmt command 2022-02-14 15:54:51 +01:00			`"tag:dev-databases:*",`
			`"tag:dev-app-servers:*",`
			`"tag:prod-app-servers:80,443"`
			`]`
			`},`
Docs/ACLs: Add router examples with subnets 2022-03-17 19:58:34 -03:00			`// developers have access to the internal network through the router.`
			`// the internal network is composed of HTTPS endpoints and Postgresql`
Remove subnet router visibility workaround from docs (#2569) Previous Headscale versions required a dedicated rule to make a subnet router visible to clients. This workaround is no longer required. 2025-05-05 15:24:59 +02:00			`// database servers.`
Docs/ACLs: Add router examples with subnets 2022-03-17 19:58:34 -03:00			`{`
			`"action": "accept",`
Update internal docs to the new syntax 2022-06-08 18:12:47 +02:00			`"src": ["group:dev"],`
Remove subnet router visibility workaround from docs (#2569) Previous Headscale versions required a dedicated rule to make a subnet router visible to clients. This workaround is no longer required. 2025-05-05 15:24:59 +02:00			`"dst": ["10.20.0.0/16:443,5432"]`
Docs/ACLs: Add router examples with subnets 2022-03-17 19:58:34 -03:00			`},`
chore(fmt): apply make fmt command 2022-02-14 15:54:51 +01:00
Update internal docs with protocol usage 2022-06-08 18:15:38 +02:00			`// servers should be able to talk to database in tcp/5432. Database should not be able to initiate connections to`
chore(fmt): apply make fmt command 2022-02-14 15:54:51 +01:00			`// applications servers`
			`{`
			`"action": "accept",`
Update internal docs to the new syntax 2022-06-08 18:12:47 +02:00			`"src": ["tag:dev-app-servers"],`
Update internal docs with protocol usage 2022-06-08 18:15:38 +02:00			`"proto": "tcp",`
Update internal docs to the new syntax 2022-06-08 18:12:47 +02:00			`"dst": ["tag:dev-databases:5432"]`
docs(acl): add configuration example to explain acls 2022-02-14 13:54:44 +01:00			`},`
chore(fmt): apply make fmt command 2022-02-14 15:54:51 +01:00			`{`
			`"action": "accept",`
Update internal docs to the new syntax 2022-06-08 18:12:47 +02:00			`"src": ["tag:prod-app-servers"],`
			`"dst": ["tag:prod-databases:5432"]`
chore(fmt): apply make fmt command 2022-02-14 15:54:51 +01:00			`},`

			`// interns have access to dev-app-servers only in reading mode`
			`{`
			`"action": "accept",`
Update internal docs to the new syntax 2022-06-08 18:12:47 +02:00			`"src": ["group:intern"],`
			`"dst": ["tag:dev-app-servers:80,443"]`
chore(fmt): apply make fmt command 2022-02-14 15:54:51 +01:00			`},`

feat: add autogroup:self (#2789) 2025-10-16 12:59:52 +02:00			`// Allow users to access their own devices using autogroup:self (see below for more details about performance impact)`
			`{`
			`"action": "accept",`
			`"src": ["autogroup:member"],`
			`"dst": ["autogroup:self:*"]`
			`}`
chore(fmt): apply make fmt command 2022-02-14 15:54:51 +01:00			`]`
docs(acl): add configuration example to explain acls 2022-02-14 13:54:44 +01:00			`}`
			```
feat: add autogroup:self (#2789) 2025-10-16 12:59:52 +02:00
			`## Autogroups`

			`Headscale supports several autogroups that automatically include users, destinations, or devices with specific properties. Autogroups provide a convenient way to write ACL rules without manually listing individual users or devices.`

			### `autogroup:internet`

			`Allows access to the internet through [exit nodes](routes.md#exit-node). Can only be used in ACL destinations.`

			```json
			`{`
			`"action": "accept",`
			`"src": ["group:users"],`
			`"dst": ["autogroup:internet:*"]`
			`}`
			```

			### `autogroup:member`

			`Includes all users who are direct members of the tailnet. Does not include users from shared devices.`

			```json
			`{`
			`"action": "accept",`
			`"src": ["autogroup:member"],`
			`"dst": ["tag:prod-app-servers:80,443"]`
			`}`
			```

			### `autogroup:tagged`

			`Includes all devices that have at least one tag.`

			```json
			`{`
			`"action": "accept",`
			`"src": ["autogroup:tagged"],`
			`"dst": ["tag:monitoring:9090"]`
			`}`
			```

			### `autogroup:self`
			`(EXPERIMENTAL)`

			!!! warning "The current implementation of `autogroup:self` is inefficient"

			`Includes devices where the same user is authenticated on both the source and destination. Does not include tagged devices. Can only be used in ACL destinations.`

			```json
			`{`
			`"action": "accept",`
			`"src": ["autogroup:member"],`
			`"dst": ["autogroup:self:*"]`
			`}`
			```
			Using `autogroup:self` may cause performance degradation on the Headscale coordinator server in large deployments, as filter rules must be compiled per-node rather than globally and the current implementation is not very efficient.

			If you experience performance issues, consider using more specific ACL rules or limiting the use of `autogroup:self`.
			```json
			`{`
			`// To allow internal users communications to their own nodes we can do following rules to allow access in case autogroup:self is causing performance issues.`
			`{ "action": "accept", "src": ["boss@"], "dst": ["boss@:"] },`
			`{ "action": "accept", "src": ["dev1@"], "dst": ["dev1@:*"] },`
			`{ "action": "accept", "src": ["dev2@"], "dst": ["dev2@:"] },`
			`{ "action": "accept", "src": ["admin1@"], "dst": ["admin1@:"] },`
			`{ "action": "accept", "src": ["intern1@"], "dst": ["intern1@:"] }`
			`}`
			```

			### `autogroup:nonroot`

			Used in Tailscale SSH rules to allow access to any user except root. Can only be used in the `users` field of SSH rules.

			```json
			`{`
			`"action": "accept",`
			`"src": ["autogroup:member"],`
			`"dst": ["autogroup:self"],`
			`"users": ["autogroup:nonroot"]`
			`}`
			```