feat: implements apis for managing headscale policy (#1792)

2024-07-18 11:08:25 +05:30 · 2024-07-18 11:08:25 +05:30 · 58bd38a609
commit 58bd38a609
parent 00ff288f0c
39 changed files with 1875 additions and 567 deletions
--- a/hscontrol/app.go
+++ b/hscontrol/app.go
@ -8,7 +8,7 @@ import (
 	"io"
 	"net"
 	"net/http"
-	_ "net/http/pprof" //nolint
+	_ "net/http/pprof" // nolint
 	"os"
 	"os/signal"
 	"path/filepath"
@ -23,16 +23,6 @@ import (
 	"github.com/gorilla/mux"
 	grpcMiddleware "github.com/grpc-ecosystem/go-grpc-middleware"
 	grpcRuntime "github.com/grpc-ecosystem/grpc-gateway/v2/runtime"
-	"github.com/juanfont/headscale"
-	v1 "github.com/juanfont/headscale/gen/go/headscale/v1"
-	"github.com/juanfont/headscale/hscontrol/db"
-	"github.com/juanfont/headscale/hscontrol/derp"
-	derpServer "github.com/juanfont/headscale/hscontrol/derp/server"
-	"github.com/juanfont/headscale/hscontrol/mapper"
-	"github.com/juanfont/headscale/hscontrol/notifier"
-	"github.com/juanfont/headscale/hscontrol/policy"
-	"github.com/juanfont/headscale/hscontrol/types"
-	"github.com/juanfont/headscale/hscontrol/util"
 	"github.com/patrickmn/go-cache"
 	zerolog "github.com/philip-bui/grpc-zerolog"
 	"github.com/pkg/profile"
@ -57,6 +47,17 @@ import (
 	"tailscale.com/types/dnstype"
 	"tailscale.com/types/key"
 	"tailscale.com/util/dnsname"
+
+	"github.com/juanfont/headscale"
+	v1 "github.com/juanfont/headscale/gen/go/headscale/v1"
+	"github.com/juanfont/headscale/hscontrol/db"
+	"github.com/juanfont/headscale/hscontrol/derp"
+	derpServer "github.com/juanfont/headscale/hscontrol/derp/server"
+	"github.com/juanfont/headscale/hscontrol/mapper"
+	"github.com/juanfont/headscale/hscontrol/notifier"
+	"github.com/juanfont/headscale/hscontrol/policy"
+	"github.com/juanfont/headscale/hscontrol/types"
+	"github.com/juanfont/headscale/hscontrol/util"
 )

 var (
@ -516,6 +517,10 @@ func (h *Headscale) Serve() error {

 	var err error

+	if err = h.loadACLPolicy(); err != nil {
+		return fmt.Errorf("failed to load ACL policy: %w", err)
+	}
+
 	if dumpConfig {
 		spew.Dump(h.cfg)
 	}
@ -784,17 +789,12 @@ func (h *Headscale) Serve() error {
 					Msg("Received SIGHUP, reloading ACL and Config")

 				// TODO(kradalby): Reload config on SIGHUP
+				if err := h.loadACLPolicy(); err != nil {
+					log.Error().Err(err).Msg("failed to reload ACL policy")
+				}

-				if h.cfg.ACL.PolicyPath != "" {
-					aclPath := util.AbsolutePathFromConfigPath(h.cfg.ACL.PolicyPath)
-					pol, err := policy.LoadACLPolicyFromPath(aclPath)
-					if err != nil {
-						log.Error().Err(err).Msg("Failed to reload ACL policy")
-					}
-
-					h.ACLPolicy = pol
+				if h.ACLPolicy != nil {
 					log.Info().
-						Str("path", aclPath).
 						Msg("ACL policy successfully reloaded, notifying nodes of change")

 					ctx := types.NotifyCtx(context.Background(), "acl-sighup", "na")
@ -802,7 +802,6 @@ func (h *Headscale) Serve() error {
 						Type: types.StateFullUpdate,
 					})
 				}
-
 			default:
 				trace := log.Trace().Msgf
 				log.Info().
@ -1012,3 +1011,48 @@ func readOrCreatePrivateKey(path string) (*key.MachinePrivate, error) {

 	return &machineKey, nil
 }
+
+func (h *Headscale) loadACLPolicy() error {
+	var (
+		pol *policy.ACLPolicy
+		err error
+	)
+
+	switch h.cfg.Policy.Mode {
+	case types.PolicyModeFile:
+		path := h.cfg.Policy.Path
+
+		// It is fine to start headscale without a policy file.
+		if len(path) == 0 {
+			return nil
+		}
+
+		absPath := util.AbsolutePathFromConfigPath(path)
+		pol, err = policy.LoadACLPolicyFromPath(absPath)
+		if err != nil {
+			return fmt.Errorf("failed to load ACL policy from file: %w", err)
+		}
+	case types.PolicyModeDB:
+		p, err := h.db.GetPolicy()
+		if err != nil {
+			if errors.Is(err, types.ErrPolicyNotFound) {
+				return nil
+			}
+
+			return fmt.Errorf("failed to get policy from database: %w", err)
+		}
+
+		pol, err = policy.LoadACLPolicyFromBytes([]byte(p.Data))
+		if err != nil {
+			return fmt.Errorf("failed to parse policy: %w", err)
+		}
+	default:
+		log.Fatal().
+			Str("mode", string(h.cfg.Policy.Mode)).
+			Msg("Unknown ACL policy mode")
+	}
+
+	h.ACLPolicy = pol
+
+	return nil
+}
--- a/hscontrol/db/db.go
+++ b/hscontrol/db/db.go
@ -395,6 +395,18 @@ func NewHeadscaleDatabase(
 					return nil
 				},
 			},
+			{
+				ID: "202406021630",
+				Migrate: func(tx *gorm.DB) error {
+					err := tx.AutoMigrate(&types.Policy{})
+					if err != nil {
+						return err
+					}
+
+					return nil
+				},
+				Rollback: func(db *gorm.DB) error { return nil },
+			},
 		},
 	)

--- a/hscontrol/db/node_test.go
+++ b/hscontrol/db/node_test.go
@ -8,13 +8,14 @@ import (
 	"testing"
 	"time"

-	"github.com/juanfont/headscale/hscontrol/policy"
-	"github.com/juanfont/headscale/hscontrol/types"
-	"github.com/juanfont/headscale/hscontrol/util"
 	"github.com/puzpuzpuz/xsync/v3"
 	"gopkg.in/check.v1"
 	"tailscale.com/tailcfg"
 	"tailscale.com/types/key"
+
+	"github.com/juanfont/headscale/hscontrol/policy"
+	"github.com/juanfont/headscale/hscontrol/types"
+	"github.com/juanfont/headscale/hscontrol/util"
 )

 func (s *Suite) TestGetNode(c *check.C) {
@ -545,7 +546,7 @@ func (s *Suite) TestAutoApproveRoutes(c *check.C) {
 }
 	`)

-	pol, err := policy.LoadACLPolicyFromBytes(acl, "hujson")
+	pol, err := policy.LoadACLPolicyFromBytes(acl)
 	c.Assert(err, check.IsNil)
 	c.Assert(pol, check.NotNil)

--- a/hscontrol/db/policy.go
+++ b/hscontrol/db/policy.go
@ -0,0 +1,44 @@
+package db
+
+import (
+	"gorm.io/gorm"
+	"gorm.io/gorm/clause"
+
+	"errors"
+
+	"github.com/juanfont/headscale/hscontrol/types"
+)
+
+// SetPolicy sets the policy in the database.
+func (hsdb *HSDatabase) SetPolicy(policy string) (*types.Policy, error) {
+	// Create a new policy.
+	p := types.Policy{
+		Data: policy,
+	}
+
+	if err := hsdb.DB.Clauses(clause.Returning{}).Create(&p).Error; err != nil {
+		return nil, err
+	}
+
+	return &p, nil
+}
+
+// GetPolicy returns the latest policy in the database.
+func (hsdb *HSDatabase) GetPolicy() (*types.Policy, error) {
+	var p types.Policy
+
+	// Query:
+	// SELECT * FROM policies ORDER BY id DESC LIMIT 1;
+	if err := hsdb.DB.
+		Order("id DESC").
+		Limit(1).
+		First(&p).Error; err != nil {
+		if errors.Is(err, gorm.ErrRecordNotFound) {
+			return nil, types.ErrPolicyNotFound
+		}
+
+		return nil, err
+	}
+
+	return &p, nil
+}
--- a/hscontrol/grpcv1.go
+++ b/hscontrol/grpcv1.go
@ -4,6 +4,8 @@ package hscontrol
 import (
 	"context"
 	"errors"
+	"io"
+	"os"
 	"sort"
 	"strings"
 	"time"
@ -11,12 +13,14 @@ import (
 	"github.com/rs/zerolog/log"
 	"google.golang.org/grpc/codes"
 	"google.golang.org/grpc/status"
+	"google.golang.org/protobuf/types/known/timestamppb"
 	"gorm.io/gorm"
 	"tailscale.com/tailcfg"
 	"tailscale.com/types/key"

 	v1 "github.com/juanfont/headscale/gen/go/headscale/v1"
 	"github.com/juanfont/headscale/hscontrol/db"
+	"github.com/juanfont/headscale/hscontrol/policy"
 	"github.com/juanfont/headscale/hscontrol/types"
 	"github.com/juanfont/headscale/hscontrol/util"
 )
@ -671,6 +675,76 @@ func (api headscaleV1APIServer) DeleteApiKey(
 	return &v1.DeleteApiKeyResponse{}, nil
 }

+func (api headscaleV1APIServer) GetPolicy(
+	_ context.Context,
+	_ *v1.GetPolicyRequest,
+) (*v1.GetPolicyResponse, error) {
+	switch api.h.cfg.Policy.Mode {
+	case types.PolicyModeDB:
+		p, err := api.h.db.GetPolicy()
+		if err != nil {
+			return nil, err
+		}
+
+		return &v1.GetPolicyResponse{
+			Policy:    p.Data,
+			UpdatedAt: timestamppb.New(p.UpdatedAt),
+		}, nil
+	case types.PolicyModeFile:
+		// Read the file and return the contents as-is.
+		f, err := os.Open(api.h.cfg.Policy.Path)
+		if err != nil {
+			return nil, err
+		}
+
+		defer f.Close()
+
+		b, err := io.ReadAll(f)
+		if err != nil {
+			return nil, err
+		}
+
+		return &v1.GetPolicyResponse{Policy: string(b)}, nil
+	}
+
+	return nil, nil
+}
+
+func (api headscaleV1APIServer) SetPolicy(
+	_ context.Context,
+	request *v1.SetPolicyRequest,
+) (*v1.SetPolicyResponse, error) {
+	if api.h.cfg.Policy.Mode != types.PolicyModeDB {
+		return nil, types.ErrPolicyUpdateIsDisabled
+	}
+
+	p := request.GetPolicy()
+
+	valid, err := policy.LoadACLPolicyFromBytes([]byte(p))
+	if err != nil {
+		return nil, err
+	}
+
+	updated, err := api.h.db.SetPolicy(p)
+	if err != nil {
+		return nil, err
+	}
+
+	api.h.ACLPolicy = valid
+
+	ctx := types.NotifyCtx(context.Background(), "acl-update", "na")
+	api.h.nodeNotifier.NotifyAll(ctx, types.StateUpdate{
+		Type: types.StateFullUpdate,
+	})
+
+	response := &v1.SetPolicyResponse{
+		Policy:    updated.Data,
+		UpdatedAt: timestamppb.New(updated.UpdatedAt),
+	}
+
+	return response, nil
+}
+
 // The following service calls are for testing and debugging
 func (api headscaleV1APIServer) DebugCreateNode(
 	ctx context.Context,
--- a/hscontrol/mapper/mapper.go
+++ b/hscontrol/mapper/mapper.go
@ -594,9 +594,30 @@ func appendPeerChanges(
 		resp.PeersChanged = tailPeers
 	}
 	resp.DNSConfig = dnsConfig
-	resp.PacketFilter = policy.ReduceFilterRules(node, packetFilter)
 	resp.UserProfiles = profiles
 	resp.SSHPolicy = sshPolicy

+	// 81: 2023-11-17: MapResponse.PacketFilters (incremental packet filter updates)
+	if capVer >= 81 {
+		// Currently, we do not send incremental package filters, however using the
+		// new PacketFilters field and "base" allows us to send a full update when we
+		// have to send an empty list, avoiding the hack in the else block.
+		resp.PacketFilters = map[string][]tailcfg.FilterRule{
+			"base": policy.ReduceFilterRules(node, packetFilter),
+		}
+	} else {
+		// This is a hack to avoid sending an empty list of packet filters.
+		// Since tailcfg.PacketFilter has omitempty, any empty PacketFilter will
+		// be omitted, causing the client to consider it unchange, keeping the
+		// previous packet filter. Worst case, this can cause a node that previously
+		// has access to a node to _not_ loose access if an empty (allow none) is sent.
+		reduced := policy.ReduceFilterRules(node, packetFilter)
+		if len(reduced) > 0 {
+			resp.PacketFilter = reduced
+		} else {
+			resp.PacketFilter = packetFilter
+		}
+	}
+
 	return nil
 }
--- a/hscontrol/policy/acls.go
+++ b/hscontrol/policy/acls.go
@ -7,18 +7,17 @@ import (
 	"io"
 	"net/netip"
 	"os"
-	"path/filepath"
 	"strconv"
 	"strings"
 	"time"

-	"github.com/juanfont/headscale/hscontrol/types"
-	"github.com/juanfont/headscale/hscontrol/util"
 	"github.com/rs/zerolog/log"
 	"github.com/tailscale/hujson"
 	"go4.org/netipx"
-	"gopkg.in/yaml.v3"
 	"tailscale.com/tailcfg"
+
+	"github.com/juanfont/headscale/hscontrol/types"
+	"github.com/juanfont/headscale/hscontrol/util"
 )

 var (
@ -108,35 +107,22 @@ func LoadACLPolicyFromPath(path string) (*ACLPolicy, error) {
 		Bytes("file", policyBytes).
 		Msg("Loading ACLs")

-	switch filepath.Ext(path) {
-	case ".yml", ".yaml":
-		return LoadACLPolicyFromBytes(policyBytes, "yaml")
-	}
-
-	return LoadACLPolicyFromBytes(policyBytes, "hujson")
+	return LoadACLPolicyFromBytes(policyBytes)
 }

-func LoadACLPolicyFromBytes(acl []byte, format string) (*ACLPolicy, error) {
+func LoadACLPolicyFromBytes(acl []byte) (*ACLPolicy, error) {
 	var policy ACLPolicy
-	switch format {
-	case "yaml":
-		err := yaml.Unmarshal(acl, &policy)
-		if err != nil {
-			return nil, err
-		}

-	default:
-		ast, err := hujson.Parse(acl)
-		if err != nil {
-			return nil, err
-		}
+	ast, err := hujson.Parse(acl)
+	if err != nil {
+		return nil, fmt.Errorf("parsing hujson, err: %w", err)
+	}

-		ast.Standardize()
-		acl = ast.Pack()
-		err = json.Unmarshal(acl, &policy)
-		if err != nil {
-			return nil, err
-		}
+	ast.Standardize()
+	acl = ast.Pack()
+
+	if err := json.Unmarshal(acl, &policy); err != nil {
+		return nil, fmt.Errorf("unmarshalling policy, err: %w", err)
 	}

 	if policy.IsZero() {
@ -846,7 +832,7 @@ func (pol *ACLPolicy) expandIPsFromUser(

 	// shortcurcuit if we have no nodes to get ips from.
 	if len(filteredNodes) == 0 {
-		return nil, nil //nolint
+		return nil, nil // nolint
 	}

 	for _, node := range filteredNodes {
--- a/hscontrol/policy/acls_test.go
+++ b/hscontrol/policy/acls_test.go
@ -6,14 +6,15 @@ import (
 	"testing"

 	"github.com/google/go-cmp/cmp"
-	"github.com/juanfont/headscale/hscontrol/types"
-	"github.com/juanfont/headscale/hscontrol/util"
 	"github.com/rs/zerolog/log"
 	"github.com/spf13/viper"
 	"github.com/stretchr/testify/assert"
 	"go4.org/netipx"
 	"gopkg.in/check.v1"
 	"tailscale.com/tailcfg"
+
+	"github.com/juanfont/headscale/hscontrol/types"
+	"github.com/juanfont/headscale/hscontrol/util"
 )

 var iap = func(ipStr string) *netip.Addr {
@ -321,44 +322,27 @@ func TestParsing(t *testing.T) {
 			wantErr: false,
 		},
 		{
-			name:   "port-wildcard-yaml",
-			format: "yaml",
+			name:   "ipv6",
+			format: "hujson",
 			acl: `
---
-hosts:
-  host-1: 100.100.100.100/32
-  subnet-1: 100.100.101.100/24
-acls:
-  - action: accept
-    src:
-      - "*"
-    dst:
-      - host-1:*
-`,
-			want: []tailcfg.FilterRule{
-				{
-					SrcIPs: []string{"0.0.0.0/0", "::/0"},
-					DstPorts: []tailcfg.NetPortRange{
-						{IP: "100.100.100.100/32", Ports: tailcfg.PortRangeAny},
-					},
-				},
-			},
-			wantErr: false,
-		},
+{
+	"hosts": {
+		"host-1": "100.100.100.100/32",
+		"subnet-1": "100.100.101.100/24",
+	},
+
+	"acls": [
 		{
-			name:   "ipv6-yaml",
-			format: "yaml",
-			acl: `
---
-hosts:
-  host-1: 100.100.100.100/32
-  subnet-1: 100.100.101.100/24
-acls:
-  - action: accept
-    src:
-      - "*"
-    dst:
-      - host-1:*
+			"action": "accept",
+			"src": [
+				"*",
+			],
+			"dst": [
+				"host-1:*",
+			],
+		},
+	],
+}			
 `,
 			want: []tailcfg.FilterRule{
 				{
@ -374,7 +358,7 @@ acls:

 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
-			pol, err := LoadACLPolicyFromBytes([]byte(tt.acl), tt.format)
+			pol, err := LoadACLPolicyFromBytes([]byte(tt.acl))

 			if tt.wantErr && err == nil {
 				t.Errorf("parsing() error = %v, wantErr %v", err, tt.wantErr)
@ -544,7 +528,7 @@ func (s *Suite) TestRuleInvalidGeneration(c *check.C) {
 	],
 }
 	`)
-	pol, err := LoadACLPolicyFromBytes(acl, "hujson")
+	pol, err := LoadACLPolicyFromBytes(acl)
 	c.Assert(pol.ACLs, check.HasLen, 6)
 	c.Assert(err, check.IsNil)

--- a/hscontrol/policy/acls_types.go
+++ b/hscontrol/policy/acls_types.go
@ -6,26 +6,25 @@ import (
 	"strings"

 	"github.com/tailscale/hujson"
-	"gopkg.in/yaml.v3"
 )

 // ACLPolicy represents a Tailscale ACL Policy.
 type ACLPolicy struct {
-	Groups        Groups        `json:"groups"        yaml:"groups"`
-	Hosts         Hosts         `json:"hosts"         yaml:"hosts"`
-	TagOwners     TagOwners     `json:"tagOwners"     yaml:"tagOwners"`
-	ACLs          []ACL         `json:"acls"          yaml:"acls"`
-	Tests         []ACLTest     `json:"tests"         yaml:"tests"`
-	AutoApprovers AutoApprovers `json:"autoApprovers" yaml:"autoApprovers"`
-	SSHs          []SSH         `json:"ssh"           yaml:"ssh"`
+	Groups        Groups        `json:"groups"    `
+	Hosts         Hosts         `json:"hosts"`
+	TagOwners     TagOwners     `json:"tagOwners"`
+	ACLs          []ACL         `json:"acls"`
+	Tests         []ACLTest     `json:"tests"`
+	AutoApprovers AutoApprovers `json:"autoApprovers"`
+	SSHs          []SSH         `json:"ssh"`
 }

 // ACL is a basic rule for the ACL Policy.
 type ACL struct {
-	Action       string   `json:"action" yaml:"action"`
-	Protocol     string   `json:"proto"  yaml:"proto"`
-	Sources      []string `json:"src"    yaml:"src"`
-	Destinations []string `json:"dst"    yaml:"dst"`
+	Action       string   `json:"action"`
+	Protocol     string   `json:"proto"`
+	Sources      []string `json:"src"`
+	Destinations []string `json:"dst"`
 }

 // Groups references a series of alias in the ACL rules.
@ -37,27 +36,27 @@ type Hosts map[string]netip.Prefix
 // TagOwners specify what users (users?) are allow to use certain tags.
 type TagOwners map[string][]string

-// ACLTest is not implemented, but should be use to check if a certain rule is allowed.
+// ACLTest is not implemented, but should be used to check if a certain rule is allowed.
 type ACLTest struct {
-	Source string   `json:"src"            yaml:"src"`
-	Accept []string `json:"accept"         yaml:"accept"`
-	Deny   []string `json:"deny,omitempty" yaml:"deny,omitempty"`
+	Source string   `json:"src"`
+	Accept []string `json:"accept"`
+	Deny   []string `json:"deny,omitempty"`
 }

 // AutoApprovers specify which users (users?), groups or tags have their advertised routes
 // or exit node status automatically enabled.
 type AutoApprovers struct {
-	Routes   map[string][]string `json:"routes"   yaml:"routes"`
-	ExitNode []string            `json:"exitNode" yaml:"exitNode"`
+	Routes   map[string][]string `json:"routes"`
+	ExitNode []string            `json:"exitNode"`
 }

 // SSH controls who can ssh into which machines.
 type SSH struct {
-	Action       string   `json:"action"                yaml:"action"`
-	Sources      []string `json:"src"                   yaml:"src"`
-	Destinations []string `json:"dst"                   yaml:"dst"`
-	Users        []string `json:"users"                 yaml:"users"`
-	CheckPeriod  string   `json:"checkPeriod,omitempty" yaml:"checkPeriod,omitempty"`
+	Action       string   `json:"action"`
+	Sources      []string `json:"src"`
+	Destinations []string `json:"dst"`
+	Users        []string `json:"users"`
+	CheckPeriod  string   `json:"checkPeriod,omitempty"`
 }

 // UnmarshalJSON allows to parse the Hosts directly into netip objects.
@ -89,27 +88,6 @@ func (hosts *Hosts) UnmarshalJSON(data []byte) error {
 	return nil
 }

-// UnmarshalYAML allows to parse the Hosts directly into netip objects.
-func (hosts *Hosts) UnmarshalYAML(data []byte) error {
-	newHosts := Hosts{}
-	hostIPPrefixMap := make(map[string]string)
-
-	err := yaml.Unmarshal(data, &hostIPPrefixMap)
-	if err != nil {
-		return err
-	}
-	for host, prefixStr := range hostIPPrefixMap {
-		prefix, err := netip.ParsePrefix(prefixStr)
-		if err != nil {
-			return err
-		}
-		newHosts[host] = prefix
-	}
-	*hosts = newHosts
-
-	return nil
-}
-
 // IsZero is perhaps a bit naive here.
 func (pol ACLPolicy) IsZero() bool {
 	if len(pol.Groups) == 0 && len(pol.Hosts) == 0 && len(pol.ACLs) == 0 {
@ -119,7 +97,7 @@ func (pol ACLPolicy) IsZero() bool {
 	return false
 }

-// Returns the list of autoApproving users, groups or tags for a given IPPrefix.
+// GetRouteApprovers returns the list of autoApproving users, groups or tags for a given IPPrefix.
 func (autoApprovers *AutoApprovers) GetRouteApprovers(
 	prefix netip.Prefix,
 ) ([]string, error) {
@ -127,7 +105,7 @@ func (autoApprovers *AutoApprovers) GetRouteApprovers(
 		return autoApprovers.ExitNode, nil // 0.0.0.0/0, ::/0 or equivalent
 	}

-	approverAliases := []string{}
+	approverAliases := make([]string, 0)

 	for autoApprovedPrefix, autoApproverAliases := range autoApprovers.Routes {
 		autoApprovedPrefix, err := netip.ParsePrefix(autoApprovedPrefix)
--- a/hscontrol/types/config.go
+++ b/hscontrol/types/config.go
@ -11,7 +11,6 @@ import (
 	"time"

 	"github.com/coreos/go-oidc/v3/oidc"
-	"github.com/juanfont/headscale/hscontrol/util"
 	"github.com/prometheus/common/model"
 	"github.com/rs/zerolog"
 	"github.com/rs/zerolog/log"
@ -20,6 +19,8 @@ import (
 	"tailscale.com/net/tsaddr"
 	"tailscale.com/tailcfg"
 	"tailscale.com/types/dnstype"
+
+	"github.com/juanfont/headscale/hscontrol/util"
 )

 const (
@ -38,6 +39,13 @@ const (
 	IPAllocationStrategyRandom     IPAllocationStrategy = "random"
 )

+type PolicyMode string
+
+const (
+	PolicyModeDB   = "database"
+	PolicyModeFile = "file"
+)
+
 // Config contains the initial Headscale configuration.
 type Config struct {
 	ServerURL                      string
@ -76,7 +84,7 @@ type Config struct {

 	CLI CLIConfig

-	ACL ACLConfig
+	Policy PolicyConfig

 	Tuning Tuning
 }
@ -163,8 +171,9 @@ type CLIConfig struct {
 	Insecure bool
 }

-type ACLConfig struct {
-	PolicyPath string
+type PolicyConfig struct {
+	Path string
+	Mode PolicyMode
 }

 type LogConfig struct {
@ -197,6 +206,8 @@ func LoadConfig(path string, isFile bool) error {
 	viper.SetEnvKeyReplacer(strings.NewReplacer(".", "_"))
 	viper.AutomaticEnv()

+	viper.SetDefault("policy.mode", "file")
+
 	viper.SetDefault("tls_letsencrypt_cache_dir", "/var/www/.cache")
 	viper.SetDefault("tls_letsencrypt_challenge_type", HTTP01ChallengeType)

@ -254,6 +265,13 @@ func LoadConfig(path string, isFile bool) error {
 		return fmt.Errorf("fatal error reading config file: %w", err)
 	}

+	// Register aliases for backward compatibility
+	// Has to be called _after_ viper.ReadInConfig()
+	// https://github.com/spf13/viper/issues/560
+
+	// Alias the old ACL Policy path with the new configuration option.
+	registerAliasAndDeprecate("policy.path", "acl_policy_path")
+
 	// Collect any validation errors and return them all at once
 	var errorText string
 	if (viper.GetString("tls_letsencrypt_hostname") != "") &&
@ -390,11 +408,13 @@ func GetLogTailConfig() LogTailConfig {
 	}
 }

-func GetACLConfig() ACLConfig {
-	policyPath := viper.GetString("acl_policy_path")
+func GetPolicyConfig() PolicyConfig {
+	policyPath := viper.GetString("policy.path")
+	policyMode := viper.GetString("policy.mode")

-	return ACLConfig{
-		PolicyPath: policyPath,
+	return PolicyConfig{
+		Path: policyPath,
+		Mode: PolicyMode(policyMode),
 	}
 }

@ -764,7 +784,7 @@ func GetHeadscaleConfig() (*Config, error) {
 		LogTail:             logTailConfig,
 		RandomizeClientPort: randomizeClientPort,

-		ACL: GetACLConfig(),
+		Policy: GetPolicyConfig(),

 		CLI: CLIConfig{
 			Address:  viper.GetString("cli.address"),
@ -787,3 +807,20 @@ func GetHeadscaleConfig() (*Config, error) {
 func IsCLIConfigured() bool {
 	return viper.GetString("cli.address") != "" && viper.GetString("cli.api_key") != ""
 }
+
+// registerAliasAndDeprecate will register an alias between the newKey and the oldKey,
+// and log a deprecation warning if the oldKey is set.
+func registerAliasAndDeprecate(newKey, oldKey string) {
+	// NOTE: RegisterAlias is called with NEW KEY -> OLD KEY
+	viper.RegisterAlias(newKey, oldKey)
+	if viper.IsSet(oldKey) {
+		log.Warn().Msgf("The %q configuration key is deprecated. Please use %q instead. %q will be removed in the future.", oldKey, newKey, oldKey)
+	}
+}
+
+// deprecateAndFatal will log a fatal deprecation warning if the oldKey is set.
+func deprecateAndFatal(newKey, oldKey string) {
+	if viper.IsSet(oldKey) {
+		log.Fatal().Msgf("The %q configuration key is deprecated. Please use %q instead. %q has been removed.", oldKey, newKey, oldKey)
+	}
+}
--- a/hscontrol/types/policy.go
+++ b/hscontrol/types/policy.go
@ -0,0 +1,20 @@
+package types
+
+import (
+	"errors"
+
+	"gorm.io/gorm"
+)
+
+var (
+	ErrPolicyNotFound         = errors.New("acl policy not found")
+	ErrPolicyUpdateIsDisabled = errors.New("update is disabled for modes other than 'database'")
+)
+
+// Policy represents a policy in the database.
+type Policy struct {
+	gorm.Model
+
+	// Data contains the policy in HuJSON format.
+	Data string
+}