Mitchell Kellett

+1 This is the only thing stopping me from making the jump to SendPortal.

I've been quietly following this in the background. I've previously taken a look at [jsiebens/ionscale](https://github.com/jsiebens/ionscale), and I can see that they are using libdns for their implementation of Serve. Looks...

Health returns a 200 OK message, it doesn't return any content in my experience.

Not sure if headscale supports them yet (I haven't dug too far), but could you use [grants](https://tailscale.com/kb/1324/grants?q=grant#app)? Alternatively, what about an ACL group?

@DeadClap this is how I currently do it. But I want users to be able to manage their own devices via headplane

What about true or false style, something like this? - readOwnMachines - writeOwnMachines - readAllMachines - writeAllMachines - readUsers - writeUsers - readPolicy - writePolicy - readNetworkConfig - writeNetworkConfig -...

Could do something like this? readMachines (none, self, all) writeMachines (none, self, all) readUsers (none, self, all) writeUsers (none, self, all) policy (none, read, write) networkConfig (none, read, write) readPreAuthKeys...

If you're going down the path of grants, you could also use TS as the method of authentication as well. A bit like [tsidp](https://github.com/tailscale/tailscale/tree/main/cmd/tsidp), [hello](https://github.com/tailscale/tailscale/tree/main/cmd/hello), and [nginx-auth](https://github.com/tailscale/tailscale/tree/main/cmd/nginx-auth) all work.

> how to avoid /admin page for non admins I just have two OIDC apps, one for Headscale, one for Headplane that are scoped to two groups of users: -...

I mean yes, it’s got its own client id and client secret. But it’s really not that much effort to set up. I think it took me all of 2...