1
0
Fork
You've already forked tailscale-acl
0
command-line client to preview and commit changes to Tailscale's ACL https://codeberg.org/piger/tailscale-acl
  • Go 100%
2026年06月25日 21:46:24 +01:00
internal/config configuration from environment 2025年10月06日 15:42:09 +01:00
.gitignore add goreleaser configuration 2026年06月25日 21:46:24 +01:00
.goreleaser.yaml add goreleaser configuration 2026年06月25日 21:46:24 +01:00
go.mod update dependencies 2026年06月25日 20:46:43 +01:00
go.sum update dependencies 2026年06月25日 20:46:43 +01:00
LICENSE Create LICENSE 2024年05月20日 21:27:55 +01:00
main.go more descriptive variable names 2025年10月06日 15:42:11 +01:00
README.md add instructions for OAuth + 1Password 2026年06月25日 21:12:01 +01:00

Tailscale ACL client

Extremely rudimentary command-line client to preview and commit changes to Tailscale's ACLs.

Configuration

To use an API key (which must have an expiration date), create a configuration file like this:

api_key:"tskey-api-XXXXYYYZZZ"tailnet:"example.github"

and use the -config <filename> command-line flag.

To use an OAuth token, see the next section.

OAuth + 1Password

Install direnv and 1Password CLI (the op command).

Create an OAuth token in Tailscale. The scope must include read and write permissions for the Policy File. Then, write the "Client ID" and "Client Secret" in a 1Password entry.

In the directory where you keep your version-controlled policy file, create .envrc:

export TAILSCALE_TAILNET="12345ABCDEF"
export TAILSCALE_OAUTH_CLIENT_ID="op://Private/XXXXYYYYZZZxxxyyyzzz/client_id"
export TAILSCALE_OAUTH_CLIENT_SECRET="op://Private/XXXXYYYYZZZxxxyyyzzz/client_secret"

Allow direnv to read this file by running direnv allow.

Now, from within this directory, you can run tailscale-acl with op to interact with your Tailscale policy:

$ op run -- tailscale-acl -preview policy.hujson
$ op run -- tailscale-acl -commit policy.hujson

The advantage of using an OAuth token is that it does not need to have an expiration date.