public/headscale
1
0
Fork 0
mirror of https://github.com/juanfont/headscale.git synced 2025-10-28 11:37:45 +09:00
Code Issues Actions 7 Packages Projects Releases Wiki Activity

Fix autogroup:self alternative example

Browse Source 
Also indent and split the comment into two lines to avoid horizontal
scrolling.
This commit is contained in:
Florian Preinstorfer
2025-10-21 12:51:07 +02:00
committed by nblock
parent 8010cc574e
commit ed38d00aaa
1 changed files with 12 additions and 11 deletions
Download Patch File Download Diff File Expand all files Collapse all files

23
docs/ref/acls.md
View File

@@ -210,7 +210,7 @@ Headscale supports several autogroups that automatically include users, destinat
### `autogroup:internet` ### `autogroup:internet`
Allows access to the internet through [exit nodes](routes.md#exit-node). Can only be used in ACL destinations. Allows access to the internet through [exit nodes](routes.md#exit-node). Can only be used in ACL destinations.
```json ```json
{ {
@@ -244,10 +244,10 @@ Includes all devices that have at least one tag.
} }
``` ```
### `autogroup:self` ### `autogroup:self`
**(EXPERIMENTAL)** **(EXPERIMENTAL)**
!!! warning "The current implementation of `autogroup:self` is inefficient" !!! warning "The current implementation of `autogroup:self` is inefficient"
Includes devices where the same user is authenticated on both the source and destination. Does not include tagged devices. Can only be used in ACL destinations. Includes devices where the same user is authenticated on both the source and destination. Does not include tagged devices. Can only be used in ACL destinations.
@@ -260,15 +260,16 @@ Includes devices where the same user is authenticated on both the source and des
``` ```
*Using `autogroup:self` may cause performance degradation on the Headscale coordinator server in large deployments, as filter rules must be compiled per-node rather than globally and the current implementation is not very efficient.* *Using `autogroup:self` may cause performance degradation on the Headscale coordinator server in large deployments, as filter rules must be compiled per-node rather than globally and the current implementation is not very efficient.*
If you experience performance issues, consider using more specific ACL rules or limiting the use of `autogroup:self`. If you experience performance issues, consider using more specific ACL rules or limiting the use of `autogroup:self`.
```json ```json
{ {
// To allow internal users communications to their own nodes we can do following rules to allow access in case autogroup:self is causing performance issues. // The following rules allow internal users to communicate with their
{ "action": "accept", "src": ["boss@"], "dst": ["boss@:"] }, // own nodes in case autogroup:self is causing performance issues.
{ "action": "accept", "src": ["dev1@"], "dst": ["dev1@:*"] }, { "action": "accept", "src": ["boss@"], "dst": ["boss@:*"] },
{ "action": "accept", "src": ["dev2@"], "dst": ["dev2@:"] }, { "action": "accept", "src": ["dev1@"], "dst": ["dev1@:*"] },
{ "action": "accept", "src": ["admin1@"], "dst": ["admin1@:"] }, { "action": "accept", "src": ["dev2@"], "dst": ["dev2@:*"] },
{ "action": "accept", "src": ["intern1@"], "dst": ["intern1@:"] } { "action": "accept", "src": ["admin1@"], "dst": ["admin1@:*"] },
{ "action": "accept", "src": ["intern1@"], "dst": ["intern1@:*"] }
} }
``` ```