Mirrors/juanfont.headscale
1
0
Fork 0
mirror of https://github.com/juanfont/headscale.git synced 2025-11-10 01:20:58 +01:00
Code Issues Projects Releases Wiki Activity

Simplify example ACLs for subnet routers and exit nodes

Browse Source
This commit is contained in:
Florian Preinstorfer 2025-03-28 06:51:54 +01:00
parent ad4a3194e8
commit 669dfb39c8
1 changed files with 10 additions and 21 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

31
docs/ref/routes.md
View File

@ -115,21 +115,15 @@ The initial setup of a subnet router usually requires manual approval of their a
before they can be used by a node in a tailnet. Headscale supports the `autoApprovers` section of an ACL to automate the before they can be used by a node in a tailnet. Headscale supports the `autoApprovers` section of an ACL to automate the
approval of routes served with a subnet router. approval of routes served with a subnet router.
The ACL snippet below defines a group `group:routers` with one user `user` as member. This group owns the tag The ACL snippet below defines the tag `tag:router` owned by the user `alice`. This tag is used for `routes` in the
`tag:router` which is used for `routes` in the `autoApprovers` section. The IPv4 route `192.168.0.0/24` is automatically `autoApprovers` section. The IPv4 route `192.168.0.0/24` is automatically approved when announced by a new subnet router
approved when announced by a new subnet router which is owned by the group `group:routers` and that also advertises the owned by the user `alice` and that also advertises the tag `tag:router`.
tag `tag:router`.
```json title="Members of group:routers can automatically approve routes from subnet routers tagged with tag:router" ```json title="Subnet routers owned by alice and tagged with tag:router are automatically approved"
{ {
"groups": {
"group:routers": [
"user@"
]
},
"tagOwners": { "tagOwners": {
"tag:router": [ "tag:router": [
"group:routers" "alice@"
] ]
}, },
"autoApprovers": { "autoApprovers": {
@ -241,20 +235,15 @@ The initial setup of an exit node usually requires manual approval on the contro
in a tailnet. Headscale supports the `autoApprovers` section of an ACL to automate the approval of a new exit node as in a tailnet. Headscale supports the `autoApprovers` section of an ACL to automate the approval of a new exit node as
soon as it joins the tailnet. soon as it joins the tailnet.
The ACL snippet below defines a group `group:exits` with one user `user` as member. This group owns the tag `tag:exit` The ACL snippet below defines the tag `tag:exit` owned by the user `alice`. This tag is used for `exitNode` in the
which is used for `exitNode` in the `autoApprovers` section. A new exit node which is owned by the group `group:exits` `autoApprovers` section. A new exit node which is owned by the user `alice` and that also advertises the tag `tag:exit`
and that also advertises the tag `tag:exit` is automatically approved: is automatically approved:
```json title="Members of group:exits can automatically approve exit nodes tagged with tag:exit" ```json title="Exit nodes owned by alice and tagged with tag:exit are automatically approved"
{ {
"groups": {
"group:exits": [
"user@"
]
},
"tagOwners": { "tagOwners": {
"tag:exit": [ "tag:exit": [
"group:exits" "alice@"
] ]
}, },
"autoApprovers": { "autoApprovers": {