fix(headscale): add thinker to ACL + widen admin SSH to all hosts #497

Merged

lytedev merged 2 commits from fix-headscale-acl into main

2026-04-20 11:14:05 -05:00

lytedev commented

2026-04-18 11:51:56 -05:00

Owner

Summary

Add thinker (100.64.0.14) to the ACL hosts map so it can be named in rules.
Replace the enumerated admin SSH destination list with dst: ["*"]. Admin devices/users never hit implicit deny on SSH again — new hosts work without ACL edits.

Behavior

Admin: full network reach (existing dst: ["*:*"] rule) + full SSH reach (new dst: ["*"] rule).
Non-admin: unchanged — narrow explicit grants (DNS, beefcake:80/443/445, family/friends ports, tag-based backup), everything else implicit-deny per Tailscale default.

Why now

Without this, SSH from any admin device to thinker fails with tailnet policy does not permit you to SSH to this node. Enumerated destinations are also just fragile maintenance.

Test plan

Deploy to beefcake
SSH from an admindevice to thinker — works (previously denied)
Non-admin device attempting SSH to anything — still denied
Non-admin device reaching DNS / beefcake web / family-scoped ports — still works

## Summary - Add `thinker` (100.64.0.14) to the ACL hosts map so it can be named in rules. - Replace the enumerated admin SSH destination list with `dst: ["*"]`. Admin devices/users never hit implicit deny on SSH again — new hosts work without ACL edits. ## Behavior - **Admin**: full network reach (existing `dst: ["*:*"]` rule) + full SSH reach (new `dst: ["*"]` rule). - **Non-admin**: unchanged — narrow explicit grants (DNS, beefcake:80/443/445, family/friends ports, tag-based backup), everything else implicit-deny per Tailscale default. ## Why now Without this, SSH from any admin device to thinker fails with `tailnet policy does not permit you to SSH to this node`. Enumerated destinations are also just fragile maintenance. ## Test plan - [ ] Deploy to beefcake - [ ] SSH from an admindevice to thinker — works (previously denied) - [ ] Non-admin device attempting SSH to anything — still denied - [ ] Non-admin device reaching DNS / beefcake web / family-scoped ports — still works

lytedev added 1 commit

2026-04-18 11:51:56 -05:00

fix(headscale): add thinker to ACL + widen admin SSH to all hosts

/ check-format (push) Successful in 7s

Details

/ build (push) Successful in 5m35s

Details

21eefec5f5

Two changes to the ACL policy:
- Register thinker (100.64.0.14) in the hosts map so it can be named in
  rules.
- Replace the enumerated admin SSH destination list with `dst: ["*"]`
  so new hosts don't get silently implicit-denied for admin SSH. Admin
  devices keep full network reach via the existing `dst: ["*:*"]`
  rule; non-admin devices still fall through to their narrow explicit
  grants, so default-deny for everyone else is preserved.

lytedev added 1 commit

2026-04-18 14:13:12 -05:00

fix(unifi): raise start timeout to 5min

/ check-format (push) Successful in 8s

Details

/ build (push) Successful in 5m46s

Details

a64c34707e

Unifi's Java app routinely takes 60-120s to start, exceeding systemd's
default 90s TimeoutStartSec. Activation then kills it and the whole
deploy rolls back even though unifi would have come up on its own.
Give it 5 minutes to settle.