From 0ba1a9e5bb21eb3cc09c16bcb34ceb6834966d3f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Moritz=20J=C3=B6rg?= <moritz.jorg@oceanbox.io>
Date: Tue, 17 Feb 2026 16:33:06 +0100
Subject: [PATCH] fix: Remove acl

---
 values/headscale/acl.yaml | 164 --------------------------------------
 1 file changed, 164 deletions(-)
 delete mode 100644 values/headscale/acl.yaml

diff --git a/values/headscale/acl.yaml b/values/headscale/acl.yaml
deleted file mode 100644
index c8ebe81f..00000000
--- a/values/headscale/acl.yaml
+++ /dev/null
@@ -1,164 +0,0 @@
-apiVersion: v1
-data:
-  policy: |
-    {
-      // groups are collections of users having a common scope. A user can be in multiple groups
-      // groups cannot be composed of groups
-      "groups": {
-        "group:admin": [
-          "jonas.juselius@oceanbox.io",
-          "Moritz.Jorg@oceanbox.io",
-          "simen.kirkvik@oceanbox.io",
-          "stig.r.jensen@oceanbox.io",
-          "system-tos",
-        ],
-        "group:devops": [
-          "jonas.juselius@oceanbox.io",
-          "Moritz.Jorg@oceanbox.io",
-          "stig.r.jensen@oceanbox.io",
-          "radovan.bast@oceanbox.io",
-          "simen.kirkvik@oceanbox.io",
-          "Ole.Tytlandsvik@tromso.serit.no",
-        ],
-        "group:oceanographer": [
-          "frank.gaardsted@oceanbox.io",
-          "ole.anders.nost@oceanbox.io",
-          "helge.avlesen@oceanbox.io",
-          "isa.rosso@oceanbox.io",
-          "jonathan.lilly@oceanbox.io",
-        ],
-        "group:manager": [
-          "svenn.hanssen@oceanbox.io",
-          "hilde.iversen@oceanbox.io",
-        ],
-        "group:dev": [],
-        "group:intern": [],
-      },
-      // tagOwners in tailscale is an association between a TAG and the people allowed to set this TAG on a server.
-      // This is documented [here](https://tailscale.com/kb/1068/acl-tags#defining-a-tag)
-      // and explained [here](https://tailscale.com/blog/rbac-like-it-was-meant-to-be/)
-      "tagOwners": {
-        "tag:k8s": [ "group:admin" ],
-        "tag:hpc": [ "group:admin" ],
-      },
-      // hosts should be defined using its IP addresses and a subnet mask.
-      // to define a single host, use a /32 mask. You cannot use DNS entries here,
-      // as they're prone to be hijacked by replacing their IP addresses.
-      // see https://github.com/tailscale/tailscale/issues/3800 for more information.
-      "hosts": {
-        "ingress.ekman.tos": "10.255.241.99/32",
-        "ingress.ceph.tos": "10.255.241.10/32",
-        "ingress.ceph.vtn": "172.16.239.50/32",
-        "ingress.adm.ceph.vtn": "172.16.239.51/32",
-        "ingress.oceanbox.tos": "10.255.241.11/32",
-        "manage.ekman.tos": "10.255.241.99/32",
-        "k8s.oceanbox.tos": "10.255.241.200/32",
-        "k8s.ekman.tos": "10.255.241.99/32",
-        "k8s.ceph.tos": "10.255.241.29/32",
-        "printer.office.tos": "10.132.46.108/32",
-        "net.office.tos": "10.132.46.0/24",
-        "net.dc.tos": "10.255.241.0/24",
-        "net.100gbe.tos": "10.255.244.0/24",
-        "net.mgmt.tos": "10.255.240.0/24",
-        "net.dc.vtn": "172.16.239.0/24",
-        "net.mgmt.vtn": "172.16.238.0/24",
-      },
-      "acls": [
-        {
-          "action": "accept",
-          "src": [
-            "group:admin",
-            "group:devops",
-            "group:oceanographer",
-            "group:manager",
-            "group:dev",
-          ],
-          "dst": [
-            "100.64.0.0/24:0",
-            "100.64.0.0/24:22",
-          ]
-        },
-        {
-          "action": "accept",
-          "src": [ "ekman", "net.dc.tos" ],
-          "dst": [
-            "net.dc.vtn:*",
-            "100.64.0.0/24:0",
-            "100.64.0.0/24:22",
-          ]
-        },
-        {
-          "action": "accept",
-          "src": [ "rossby", "net.dc.vtn" ],
-          "dst": [
-            "net.dc.tos:*",
-            "100.64.0.0/24:0",
-            "100.64.0.0/24:22",
-          ]
-        },
-        {
-          "action": "accept",
-          "src": [ "group:admin" ],
-          "dst": [
-             "net.dc.tos:*",
-             "net.mgmt.tos:*",
-             "net.100gbe.tos:*",
-             "net.office.tos:*",
-             "net.dc.vtn:*",
-             "net.mgmt.vtn:*",
-          ]
-        },
-        {
-          "action": "accept",
-          "src": [ "group:devops" ],
-          "dst": [
-             "k8s.oceanbox.tos:6443",
-             "k8s.ekman.tos:4443",
-          ]
-        },
-        {
-          "action": "accept",
-          "src": [
-              "group:admin",
-              "group:devops",
-              "group:oceanographer",
-              "group:manager",
-              "group:dev",
-          ],
-          "dst": [
-             "ingress.oceanbox.tos:443",
-             "ingress.ekman.tos:443",
-             "printer.office.tos:631",
-             "10.255.241.99/32:22",
-             "10.255.241.100/32:22",
-          ]
-        },
-        {
-          "action": "accept",
-          "src": [
-              "group:admin",
-              "group:devops",
-              "group:oceanographer",
-              "group:manager",
-              "group:dev",
-          ],
-          "dst": [
-             "100.64.0.0/24:*",
-             "autogroup:internet:*",
-          ]
-        },
-      ]
-    }
-kind: ConfigMap
-metadata:
-  annotations:
-    argocd.argoproj.io/tracking-id: headscale:/ConfigMap:headscale/headscale-acl
-  labels:
-    app.kubernetes.io/instance: headscale
-    app.kubernetes.io/managed-by: Helm
-    app.kubernetes.io/name: headscale
-    app.kubernetes.io/version: v0.25.0
-    helm.sh/chart: headscale-0.16.0
-  name: headscale-acl
-  namespace: headscale
-