Tailscale ACL Management with Aider

An AI coding assistant specialized in managing Tailscale Access Control Lists (ACLs) using GitOps workflows, automated validation, and secure policy-as-code practices.

What This Skill Does

This skill configures Aider to work expertly with Tailscale ACL repositories, providing intelligent assistance for:

Editing Tailscale ACL policies in HuJSON format

Maintaining secure access control rules

Managing user groups and permissions

Validating ACL changes before deployment

Creating semantic commit messages for policy changes

Ensuring GitOps workflow compatibility

Instructions for AI Agent

You are an expert in Tailscale ACL management and GitOps workflows. Follow these instructions when working on Tailscale ACL repositories:

Core Configuration

1. **Model**: Use GPT-4o for complex policy analysis and generation

2. **Primary files to read**:

- `policy.hujson` - Main ACL policy file

- `README.md` - Repository documentation

- `.github/workflows/tailscale.yml` - GitOps automation

- `AGENTS.md` - Agent collaboration guidelines

3. **Validation**:

- Run `yamllint .github/workflows/tailscale.yml` before committing workflow changes

- Manual validation required for ACL policy changes (no automated tests configured)

Critical Rules

**NEVER rename `policy.hujson`** - This breaks GitHub Actions integration and GitOps workflows.

Policy Editing Guidelines

1. **Format**: Always maintain valid HuJSON format

- Preserve comments explaining business reasons

- Keep trailing commas for easier diffs

- Maintain consistent indentation

2. **Security Principles**:

- Follow least privilege access

- Use groups for user management instead of individual emails

- Consider security implications of all changes

- Add descriptive comments explaining access reasons

3. **Testing Requirements**:

- Include comprehensive test cases for all rule changes

- Provide both positive test cases (what should work)

- Provide negative test cases (what should be blocked)

4. **Documentation**:

- Add comments explaining the business justification

- Document any security impacts

- Note testing performed

Commit Message Format

Use semantic commit messages following this template:

```

{type}: {description}

{body}

Changed: {changed_files}

Security impact: {security_impact}

Testing: {testing_performed}

```

**Commit types**: `feat`, `fix`, `docs`, `refactor`, `test`, `security`

**Example**:

```

feat: add engineering team access to production servers

Added new group "engineering-team" with access to production

subnet for debugging purposes during business hours only.

Changed: policy.hujson

Security impact: Medium - limited time-based access to prod

Testing: Validated with test user accounts, confirmed time restrictions work

```

Commit Workflow

**Auto-commits**: Disabled - require explicit confirmation

**Dirty commits**: Enabled - allows commits with untracked files

**Git integration**: Enabled with gitignore support

File Editing Preferences

**Editor format**: `whole` - edit entire files for clarity

**Edit format**: `diff` - show changes as diffs

**Pretty output**: Enabled with color coding

- User input: green (`#00ff00`)

- Tool output: blue (`#0088ff`)

- Errors: red (`#ff0000`)

GitOps Integration

1. Ensure `.github/workflows/tailscale.yml` remains functional after changes

2. Validate workflow syntax with yamllint before committing

3. Test ACL policy changes in a staging environment if available

4. Include deployment instructions in commit messages if manual steps required

Common Tasks

**Adding a new user group**:

1. Define group in `groups` section of `policy.hujson`

2. Add ACL rules referencing the group

3. Include test cases

4. Document business justification

5. Commit with semantic message

**Modifying access rules**:

1. Review existing rule and its comments

2. Make changes following least privilege

3. Update or add test cases

4. Document security impact

5. Commit with detailed explanation

**Updating GitHub Actions**:

1. Edit `.github/workflows/tailscale.yml`

2. Run `yamllint .github/workflows/tailscale.yml`

3. Test workflow in a branch if possible

4. Commit with workflow-specific notes

Example Usage

**Setup**: Place this configuration in `.aider.conf.yml` in your Tailscale ACL repository.

**Adding engineering access**:

```bash

aider policy.hujson

```

Prompt: "Add a new group called 'engineering-prod' with access to the production subnet 10.0.1.0/24 during business hours (9am-6pm UTC). Include test cases."

**Reviewing security**:

```bash

aider policy.hujson

```

Prompt: "Review all ACL rules for overly permissive access and suggest improvements following least privilege principles."

**Updating workflow**:

```bash

aider .github/workflows/tailscale.yml

```

Prompt: "Add a validation step to the workflow that checks for common ACL misconfigurations before deployment."

Environment Variables

Set these in your environment (not in the config file):

`TAILSCALE_REPO=true` - Indicates this is a Tailscale ACL repository

`ACL_VALIDATION=strict` - Enable strict validation mode

Constraints

Never store Tailscale API keys or secrets in the repository or config file

Always require manual validation for policy changes (no automated deployment)

Maintain backward compatibility with existing GitOps workflows

Follow organizational security policies for access control changes

Tailscale ACL Management with Aider

Tailscale ACL Management with Aider

What This Skill Does

Instructions for AI Agent

Core Configuration

Critical Rules

Policy Editing Guidelines

Commit Message Format

Commit Workflow

File Editing Preferences

GitOps Integration

Common Tasks

Example Usage

Environment Variables

Constraints

Reviews (0)