I’m running other services through docker on my home server that I wanted to share without also sharing access to HomeAssistant. I haven’t found any guides for this but once I found out that ACLs can be used for this, it was pretty straightforward just by reading the docs: Network access controls (ACLs) · Tailscale Docs
Here is an example with the following restrictions:
- admins can access anything
- if you share a device that has the “dns” tag, people will be able to use that device as their DNS server (without having access to the pi-hole UI as that port is not shared)
- if you share a device that has the “jellyfin” tag and have their email address added to the “jellyfin” group, they will be able to access your Jellyfin server
- non-admin users can also access the Jellyfin server
ACLs cen be set up through your admin dashboard: Tailscale
{
// Declare static groups of users. Use autogroups for all users or users with a specific role.
"groups": {
"group:jellyfin": ["[email protected]"],
},
// Define the tags which can be applied to devices and by which users.
"tagOwners": {
"tag:dns": ["autogroup:admin"],
"tag:jellyfin": ["autogroup:admin"],
},
// Define access control lists for users, groups, autogroups, tags,
// Tailscale IP addresses, and subnet ranges.
"acls": [
// Allow all connections for admins.
{"action": "accept", "src": ["autogroup:admin"], "dst": ["*:*"]},
// DNS:
{"action": "accept", "src": ["*"], "dst": ["tag:dns:53"]},
// Jellyfin:
{
"action": "accept",
"src": ["autogroup:member","group:jellyfin"],
"proto": "udp",
"dst": ["tag:jellyfin:1900", "tag:jellyfin:7359"],
},
{
"action": "accept",
"src": ["autogroup:member","group:jellyfin"],
"proto": "tcp",
"dst": ["tag:jellyfin:8096"],
},
],
}