Add headscale ACLs

Tags are managed entirely server side, so there's no priv esc issues.

This lets my devices do what they want, and server style devices can't do anything.

ansible/roles/headscale/tasks/main.yml

@@ -11,7 +11,16 @@
     src: files/headscale.yml
     dest: /etc/headscale/config.yaml
     owner: headscale
-    mode: "0644"
+    mode: "0600"
+  notify: restart headscale
+  become: true
+
+- name: Install ACLs
+  template:
+    src: files/acls.json
+    dest: /etc/headscale/acls.json
+    owner: headscale
+    mode: "0600"
   notify: restart headscale
   become: true