Tailscale security: What if the coordination server goes rogue?

Hey all!

I’m currently debating whether to use Tailscale/Headscale for my network of devices and I’d like to understand its security properties a bit better. Unfortunately, I haven’t been able to find any precise information as to what power the coordination server has over my network and my devices. What could an attacker do if they manage to hack it?

I am aware of Tailnet lock. However, this only seems to prevent adding nodes to the network, not e.g. changing the ACLs. Is there a way to lock/sign the latter as well? (UPDATE: Doesn’t look like it.)

From what I’ve read, even if I enable Tailnet lock, if an attacker manages to take over the coordination server and has access to one of my nodes’ private keys, then it’d be game-over: The attacker could modify the ACLs and make their node have access to everything and, by that, I mean not just running services/open ports on other nodes but actually accessing the node machines as well, via Tailscale SSH. This would imply that one should never run Headscale on a server and have that same server be a node on the Tailnet because it drastically increases the risk for the above scenario. Is all this correct?

Same thing goes for when Tailnet lock is not enabled: Then the attacker wouldn’t even need to control any of the nodes and only controlling the coordination server would already imply full access to every other device on the network (since the attacker could add their own device and change the ACLs accordingly). Is this correct, too?