feat(headscale): add ACL rule for Patrizio to access web services

Add new ACL entry allowing Patrizio tagged devices to access web services on port 443. Also reformat the entire acl.json file with consistent 2-space indentation for better readability.
2026-04-06 18:57:38 +02:00 · 2026-04-06 18:57:38 +02:00 · 8cf346db12
commit 8cf346db12
parent dc740ece40
1 changed files with 49 additions and 39 deletions
--- a/headscale/acl.json
+++ b/headscale/acl.json
@ -1,41 +1,51 @@
 {
-	"groups": {
-		"group:admin": ["davide"],
-		"group:family": ["davide", "dario"],
-		"group:services": ["services"],
-		"group:external": []
-	},
-	"tagOwners": {
-		"tag:web": ["group:admin"],
-		"tag:dns": ["group:admin"],
-		"tag:exitnode": ["group:admin"],
-		"tag:game": ["group:admin", "group:family"]
-	},
-	"acls": [
-		// Family and admin should be able to access everything
-		{
-			"action": "accept",
-			"src": ["group:admin", "group:family"],
-			"dst": [
-				"*:*"
-			]
-		},
-		// External can access only hosted games
-		{
-			"action": "accept",
-			"src": ["group:external"],
-			"dst": [
-				"tag:game:*"
-			]
-		},
-		// Everyone should access DNS server (or we break their internet connection)
-		{
-			"action": "accept",
-			"src": ["*"],
-			"proto": "udp",
-			"dst": [
-				"tag:dns:53"
-			]
-		}
-	]
+  "groups": {
+    "group:admin": ["davide"],
+    "group:family": ["davide", "dario"],
+    "group:services": ["services"],
+    "group:external": []
+  },
+  "tagOwners": {
+    "tag:web": ["group:admin"],
+    "tag:dns": ["group:admin"],
+    "tag:exitnode": ["group:admin"],
+    "tag:game": ["group:admin", "group:family"]
+  },
+  "acls": [
+    // Family and admin should be able to access everything
+    {
+      "action": "accept",
+      "src": ["group:admin", "group:family"],
+      "dst": [
+        "*:*"
+      ]
+    },
+    // External can access only hosted games
+    {
+      "action": "accept",
+      "src": ["group:external"],
+      "dst": [
+        "tag:game:*"
+      ]
+    },
+    // Everyone should access DNS server (or we break their internet connection)
+    {
+      "action": "accept",
+      "src": ["*"],
+      "proto": "udp",
+      "dst": [
+        "tag:dns:53"
+      ]
+    },
+    // Patrizio needs access to web services
+    {
+        "action": "accept",
+        "src": [
+            "tag:patrizio"
+        ],
+        "dst": [
+            "tag:web:443"
+        ]
+    }
+  ]
 }