From b214b41c0c0ebd09e186da07c1b18c3787dd27aa Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Motiejus=20Jak=C5=A1tys?= <motiejus@jakstys.lt>
Date: Mon, 3 Nov 2025 22:31:35 +0000
Subject: [PATCH] headscale: trying policies

---
 modules/services/headscale/acl-policy.json | 37 ++++++++++++++++++++++
 modules/services/headscale/default.nix     |  1 +
 2 files changed, 38 insertions(+)
 create mode 100644 modules/services/headscale/acl-policy.json

diff --git a/modules/services/headscale/acl-policy.json b/modules/services/headscale/acl-policy.json
new file mode 100644
index 0000000..3cfd2ed
--- /dev/null
+++ b/modules/services/headscale/acl-policy.json
@@ -0,0 +1,37 @@
+{
+  "groups": {
+    "group:admin": ["motiejus@", "servers@"]
+  },
+  
+  "tagOwners": {
+    "tag:public-server": ["group:admin"]
+  },
+  
+  "acls": [
+    {
+      "action": "accept",
+      "src": ["group:admin"],
+      "dst": ["*:*"]
+    },
+    
+    {
+      "action": "accept",
+      "src": ["*"],
+      "dst": ["tag:public-server:*"]
+    },
+    
+    {
+      "action": "accept",
+      "src": ["*"],
+      "proto": "tcp",
+      "dst": ["*:22"]
+    },
+    
+    {
+      "action": "accept",
+      "src": ["*"],
+      "proto": "icmp",
+      "dst": ["*:*"]
+    }
+  ]
+}
diff --git a/modules/services/headscale/default.nix b/modules/services/headscale/default.nix
index 2f9c471..0e1a879 100644
--- a/modules/services/headscale/default.nix
+++ b/modules/services/headscale/default.nix
@@ -28,6 +28,7 @@
           ip_prefixes = [ config.mj.services.headscale.subnetCIDR ];
           prefixes.v4 = config.mj.services.headscale.subnetCIDR;
           log.level = "warn";
+          policy.path = ./acl-policy.json;
           dns = {
             nameservers.global = [
               "1.1.1.1"