But completely missing the thing that makes Tailscale great, imho: ACLs.

This was focused more on secure key distribution. The plugin could be extended to include tags and firewall rules for the groups/peers similar to Tailscale's design and convert them to PostUps that modify nft or iptables.

Yup! And that's where it gets significantly more complicated quickly.

Does the vault read command produce a full mesh network? I’m assuming that’s what it does, but it isn’t spelled out in the readme.

Yea, reading the `/wg-quick` endpoint will produce a rendered config for a wg-quick interface that contains all of the peers in the group. Combined with the Vault agent example, it will update the node automatically as peers are added/deleted.

There is also Netbird.io A fully open source Tailscale alternative.

But honestly, headacale is better and more advanced than it.

It's a shame that this is getting downvotes. This looks fantastic. Thank you for posting it.