add acl in json

roles/vpn/files/config/acl.json

@@ -0,0 +1,21 @@
+{
+  "groups": {
+    "group:admin": ["elizabeth.hunt"]
+  },
+  "tagOwners": {
+    "tag:prod": ["group:admin"],
+    "tag:private": ["group:admin"],
+    "tag:dev": ["group:admin"]
+  },
+  "acls": [
+    {
+      "action": "accept",
+      "src": ["group:admin"],
+      "dst": [
+        "tag:dev:*",
+        "tag:private:*",
+        "tag:prod:*"
+      ]
+    }
+  ]
+}

roles/vpn/files/config/acl.yml

@@ -1,4 +0,0 @@
----
-groups:
-  admin:
-    - "lizzy"

roles/vpn/tasks/main.yml

@@ -26,7 +26,7 @@
 - name: build headscale config template
   template:
     src: ../templates/config.yml.j2
-    dest: /etc/docker/compose/headscale/config.yml
+    dest: /etc/docker/compose/headscale/config/config.yml
     owner: root
     group: root
     mode: u=rw,g=r,o=r

roles/vpn/templates/config.yml.j2

@@ -160,7 +160,7 @@ log:
 # Path to a file containg ACL policies.
 # ACLs can be defined as YAML or HUJSON.
 # https://tailscale.com/kb/1018/acls/
-acl_policy_path: "/etc/headscale/acl.yml"
+acl_policy_path: "/etc/headscale/acl.json"
 
 ## DNS
 #
@@ -264,8 +264,7 @@ oidc:
   #   - admins
   #   - people
   # Optional.
-  allowed_users:
+  allowed_users: {{ headscale_allowed_users }}
-    - "{{ headscale_allowed_users }}"
 
   # If `strip_email_domain` is set to `true`, the domain part of the username email address will be removed.
   # This will transform `first-name.last-name@example.com` to the user `first-name.last-name`