eblume/blumeops
1
1
Fork 0
Code Issues Pull requests Projects Releases 83 Packages Wiki Activity Actions
blumeops/docs/how-to/configuration/update-tailscale-acls.md
Erich Blume e273f399ea Review 3 how-to docs and fix update-tailscale-acls inaccuracies 
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-25 07:02:49 -08:00

128 lines
2.1 KiB
Markdown
Raw Blame History

---
title: Update Tailscale ACLs
modified: 2026-02-25
last-reviewed: 2026-02-25
tags:
- how-to
- tailscale
- pulumi
---
# Update Tailscale ACLs
How to modify Tailscale access control policies for the tailnet.
## Prerequisites
- Pulumi CLI installed (`brew install pulumi`)
- Access to 1Password blumeops vault (for OAuth credentials)
## Edit the Policy
The ACL policy lives in `pulumi/tailscale/policy.hujson` (HuJSON format with comments).
Common changes:
### Add a new ACL rule
```json
{
"acls": [
// ... existing rules ...
{
"action": "accept",
"src": ["autogroup:admin"],
"dst": ["tag:newservice:*"]
}
]
}
```
### Add a new tag
```json
{
"tagOwners": {
// ... existing tags ...
"tag:newservice": ["autogroup:admin"]
}
}
```
### Add a new group
```json
{
"groups": {
// ... existing groups ...
"group:newgroup": ["user1@example.com", "user2@example.com"]
}
}
```
## Preview and Apply
```bash
# Preview changes (always do this first)
mise run tailnet-preview
# Apply changes (auto-confirms via --yes)
mise run tailnet-up
```
## Verify
Check the Tailscale admin console at https://login.tailscale.com/ to confirm changes.
## Common Patterns
### Service-specific access
Grant access to a specific service port:
```json
{
"action": "accept",
"src": ["group:users"],
"dst": ["tag:homelab:8080"]
}
```
### SSH access
```json
{
"ssh": [
{
"action": "check",
"src": ["autogroup:admin"],
"dst": ["tag:servers"],
"users": ["autogroup:nonroot"]
}
]
}
```
### All ports for admins
```json
{
"action": "accept",
"src": ["autogroup:admin"],
"dst": ["*:*"]
}
```
## Troubleshooting
**"Credential expired" error:**
Re-authenticate Pulumi with Tailscale. The OAuth token may need refreshing.
**Changes not taking effect:**
ACL changes are applied immediately. If a device isn't following new rules, try `tailscale down && tailscale up` on that device.
## Related
- [[tailscale]] - ACL reference and current configuration
- [[pulumi]] - Pulumi IaC reference
- [[routing]] - Service routing
Reference in a new issue View git blame Copy permalink