From a9d15d5ca1a0943286c931ec216f62bb4df90d04 Mon Sep 17 00:00:00 2001
From: Davide Polonio <poloniodavide@gmail.com>
Date: Thu, 1 May 2025 18:07:09 +0200
Subject: [PATCH] feat: additional iteration over acl, now simpler

---
 headscale/acl.json | 28 +++++-----------------------
 1 file changed, 5 insertions(+), 23 deletions(-)

diff --git a/headscale/acl.json b/headscale/acl.json
index 71ded70..7639437 100644
--- a/headscale/acl.json
+++ b/headscale/acl.json
@@ -8,18 +8,16 @@
 	"tagOwners": {
 		"tag:web": ["group:admin"],
 		"tag:dns": ["group:admin"],
-		"tag:web": ["group:admin"],
+		"tag:exitnode": ["group:admin"],
 		"tag:game": ["group:admin", "group:family"]
 	},
 	"acls": [
-		// Family and admin should be able to access every service
+		// Family and admin should be able to access everything
 		{
 			"action": "accept",
 			"src": ["group:admin", "group:family"],
 			"dst": [
-				"tag:web:*",
-				"tag:dns:*",
-				"tag:exitnode:*"
+				"*:*"
 			]
 		},
 		// External can access only hosted games
@@ -30,30 +28,14 @@
 				"tag:game:*"
 			]
 		},
-		// And possibly the DNS server (or we break their internet connection)
+		// Everyone should access DNS server (or we break their internet connection)
 		{
 			"action": "accept",
-			"src": ["group:external"],
+			"src": ["*"],
 			"proto": "udp",
 			"dst": [
 				"tag:dns:53"
 			]
-		},
-		// Web services should be able to make DNS queries
-		{
-			"action": "accept",
-			"src": ["tag:web"],
-			"proto": "udp",
-			"dst": [
-				"tag:dns:53"
-			]
-		},
-		{
-			"action": "accept",
-			"src": ["group:family"],
-			"dst": [
-				"group:family:*"
-			]
 		}
 	]
 }