From bff9036f14d56fd822353a85d7ad9d237e56549a Mon Sep 17 00:00:00 2001
From: Nico Rey <reynico@gmail.com>
Date: Thu, 17 Mar 2022 19:58:34 -0300
Subject: [PATCH] Docs/ACLs: Add router examples with subnets

---
 docs/acls.md | 30 +++++++++++++++++++++++++++---
 1 file changed, 27 insertions(+), 3 deletions(-)

diff --git a/docs/acls.md b/docs/acls.md
index c94ddd93..910e3262 100644
--- a/docs/acls.md
+++ b/docs/acls.md
@@ -12,7 +12,8 @@ anything they want on dev hosts but only watch on productions hosts. Intern
 can only interact with the development servers.
 
 There's an additional server that acts as a router, connecting the VPN users
-to an internal network 10.20.0.0/16
+to an internal network `10.20.0.0/16`. Developers must have access to those
+internal resources.
 
 Each user have at least a device connected to the network and we have some
 servers.
@@ -24,11 +25,16 @@ servers.
 - billing.internal
 - router.internal
 
-## Setup of the network
+![ACL implementation example](images/headscale-acl-network.png)
 
-Namespaces will be created automatically when users authenticate with the 
+## ACL setup
+
+Note: Namespaces will be created automatically when users authenticate with the
 Headscale server.
 
+ACLs could be written either on [huJSON](https://github.com/tailscale/hujson)
+or Yaml. Check the [test ACLs](../tests/acls) for further information.
+
 When registering the servers we will need to add the flag
 `--advertised-tags=tag:<tag1>,tag:<tag2>`, and the user (namespace) that is
 registering the server should be allowed to do it. Since anyone can add tags to
@@ -65,6 +71,14 @@ Here are the ACL's to implement the same permissions as above:
 
     // interns cannot add servers
   },
+  // hosts should be defined using its IP addresses and a subnet mask.
+  // to define a single host, use a /32 mask. You cannot use DNS entries here,
+  // as they're prone to be hijacked by replacing their IP addresses.
+  // see https://github.com/tailscale/tailscale/issues/3800 for more information.
+  "Hosts": {
+    "postgresql.internal": "10.20.0.2/32",
+    "webservers.internal": "10.20.10.1/29"
+  },
   "acls": [
     // boss have access to all servers
     {
@@ -103,6 +117,16 @@ Here are the ACL's to implement the same permissions as above:
         "tag:prod-app-servers:80,443"
       ]
     },
+    // developers have access to the internal network through the router.
+    // the internal network is composed of HTTPS endpoints and Postgresql
+    // database servers. There's an additional rule to allow traffic to be
+    // forwarded to the internal subnet, 10.20.0.0/16. See this issue
+    // https://github.com/juanfont/headscale/issues/502
+    {
+      "action": "accept",
+      "users": ["group:dev"],
+      "ports": ["10.20.0.0/16:443,5432", "router.internal:0"]
+    },
 
     // servers should be able to talk to database. Database should not be able to initiate connections to
     // applications servers