Skip to main content

Tailscale ACL Policy

Tailscale ACL Policy

Last Updated: 2025-12-26
Status: Production (Authoritative)
Source: network-infrastructure.md

Overview

This is the authoritative Tailscale ACL policy for the BlueFly Agent Platform. This policy enforces zero-trust security with identity-based access control.

Goal: GL.iNet + laptop can reach home LAN and agents. Nothing public can ever reach inward. No lateral sprawl.

Assumptions

  • One tailnet (tailcf98b3.ts.net)
  • One always-on home subnet router (gl-be3600)
  • GL.iNet is client only
  • No Funnel (Funnel should be OFF on all production devices)

ACL Policy (Copy/Paste to Tailscale Admin Console)

{
  "groups": {
    "group:admins": [
      "flux423@mac.com"
    ]
  },

  "tagOwners": {
    "tag:home-subnet": ["group:admins"],
    "tag:agent-host": ["group:admins"],
    "tag:travel-router": ["group:admins"]
  },

  "acls": [
    {
      "action": "accept",
      "src": ["group:admins"],
      "dst": ["tag:home-subnet:*"]
    },
    {
      "action": "accept",
      "src": ["group:admins"],
      "dst": ["tag:agent-host:*"]
    }
  ],

  "ssh": [
    {
      "action": "accept",
      "src": ["group:admins"],
      "dst": ["tag:agent-host"],
      "users": ["root", "admin"]
    }
  ]
}

Required Device Tagging

DeviceTagTailscale IP
Home subnet router (gl-be3600)tag:home-subnet100.116.110.123
Agent machines (Mac M4, Mac M3)tag:agent-host100.108.129.7, 100.108.180.36
GL.iNet travel routertag:travel-routerN/A (when used)

What This Enforces

  • Only admins can access anything
  • Travel router has no special powers
  • No accidental exposure
  • Future devices are locked by default
  • SSH access only from admins to agent hosts
  • No lateral movement between untagged devices

Security Principles

  1. Default Deny: All access is denied unless explicitly allowed
  2. Identity-Based: Access based on user identity, not IP addresses
  3. Least Privilege: Devices only get access to what they need
  4. No Public Exposure: Nothing public can reach inward
  5. Tag-Based Control: Devices tagged for role-based access

Related Documentation