From 8cf346db12980ee6316cac6fda7d454574a9fdf4 Mon Sep 17 00:00:00 2001
From: Davide Polonio <davide.polonio@infinitaslearning.com>
Date: Mon, 6 Apr 2026 18:57:38 +0200
Subject: [PATCH] feat(headscale): add ACL rule for Patrizio to access web
 services

Add new ACL entry allowing Patrizio tagged devices to access web
services on port 443. Also reformat the entire acl.json file with
consistent 2-space indentation for better readability.
---
 headscale/acl.json | 88 ++++++++++++++++++++++++++--------------------
 1 file changed, 49 insertions(+), 39 deletions(-)

diff --git a/headscale/acl.json b/headscale/acl.json
index 7639437..c993bfd 100644
--- a/headscale/acl.json
+++ b/headscale/acl.json
@@ -1,41 +1,51 @@
 {
-	"groups": {
-		"group:admin": ["davide"],
-		"group:family": ["davide", "dario"],
-		"group:services": ["services"],
-		"group:external": []
-	},
-	"tagOwners": {
-		"tag:web": ["group:admin"],
-		"tag:dns": ["group:admin"],
-		"tag:exitnode": ["group:admin"],
-		"tag:game": ["group:admin", "group:family"]
-	},
-	"acls": [
-		// Family and admin should be able to access everything
-		{
-			"action": "accept",
-			"src": ["group:admin", "group:family"],
-			"dst": [
-				"*:*"
-			]
-		},
-		// External can access only hosted games
-		{
-			"action": "accept",
-			"src": ["group:external"],
-			"dst": [
-				"tag:game:*"
-			]
-		},
-		// Everyone should access DNS server (or we break their internet connection)
-		{
-			"action": "accept",
-			"src": ["*"],
-			"proto": "udp",
-			"dst": [
-				"tag:dns:53"
-			]
-		}
-	]
+  "groups": {
+    "group:admin": ["davide"],
+    "group:family": ["davide", "dario"],
+    "group:services": ["services"],
+    "group:external": []
+  },
+  "tagOwners": {
+    "tag:web": ["group:admin"],
+    "tag:dns": ["group:admin"],
+    "tag:exitnode": ["group:admin"],
+    "tag:game": ["group:admin", "group:family"]
+  },
+  "acls": [
+    // Family and admin should be able to access everything
+    {
+      "action": "accept",
+      "src": ["group:admin", "group:family"],
+      "dst": [
+        "*:*"
+      ]
+    },
+    // External can access only hosted games
+    {
+      "action": "accept",
+      "src": ["group:external"],
+      "dst": [
+        "tag:game:*"
+      ]
+    },
+    // Everyone should access DNS server (or we break their internet connection)
+    {
+      "action": "accept",
+      "src": ["*"],
+      "proto": "udp",
+      "dst": [
+        "tag:dns:53"
+      ]
+    },
+    // Patrizio needs access to web services
+    {
+        "action": "accept",
+        "src": [
+            "tag:patrizio"
+        ],
+        "dst": [
+            "tag:web:443"
+        ]
+    }
+  ]
 }