feat: additional iteration over acl, now simpler

2025-05-01 18:07:09 +02:00 · 2025-05-01 18:07:09 +02:00 · a9d15d5ca1
commit a9d15d5ca1
parent 67e8b43807
1 changed files with 5 additions and 23 deletions
--- a/headscale/acl.json
+++ b/headscale/acl.json
@ -8,18 +8,16 @@
 	"tagOwners": {
 		"tag:web": ["group:admin"],
 		"tag:dns": ["group:admin"],
-		"tag:web": ["group:admin"],
+		"tag:exitnode": ["group:admin"],
 		"tag:game": ["group:admin", "group:family"]
 	},
 	"acls": [
-		// Family and admin should be able to access every service
+		// Family and admin should be able to access everything
 		{
 			"action": "accept",
 			"src": ["group:admin", "group:family"],
 			"dst": [
-				"tag:web:*",
-				"tag:dns:*",
-				"tag:exitnode:*"
+				"*:*"
 			]
 		},
 		// External can access only hosted games
@ -30,30 +28,14 @@
 				"tag:game:*"
 			]
 		},
-		// And possibly the DNS server (or we break their internet connection)
+		// Everyone should access DNS server (or we break their internet connection)
 		{
 			"action": "accept",
-			"src": ["group:external"],
+			"src": ["*"],
 			"proto": "udp",
 			"dst": [
 				"tag:dns:53"
 			]
-		},
-		// Web services should be able to make DNS queries
-		{
-			"action": "accept",
-			"src": ["tag:web"],
-			"proto": "udp",
-			"dst": [
-				"tag:dns:53"
-			]
-		},
-		{
-			"action": "accept",
-			"src": ["group:family"],
-			"dst": [
-				"group:family:*"
-			]
 		}
 	]
 }