What's the best way to implement generic zones?

I have various “zones” I want to make sure can see each other, but nothing else. For example, machines in my parents’ house should only be able to see each other, machines in my brother’s house can see each other, but my computer can see everything. What’s a good way to do this once, without implementing N tags and one rule per tag?

Three different User accounts, one for parents, brother, and you? A GitHub Organization is a good way to have a tailnet with multiple users, and is free for friends-and-family use as well: Even more for free: Tailscale for open source projects · Tailscale

Sorry, that’s not what I meant. I’m the administrator of all the machines (so just one user), but I want to write ACLs such that they will be able to be in their own “zone” each. Right now I use tags, but I have to create the tag itself, and add one rule per tag (allow everything from that tag to that tag).

I was wondering if there was a way to move up one level of abstraction and say “allow everything from any tag that starts with zone-* to the same tag”.

There is not a glob-matcher or regex for ACL rules. That leads to enough unexpected behaviors (adding a tag which wasn’t expected to match the glob, but does) that it isn’t clear that adding such would be reasonable.

If having a user per location to use with autogroup:self ACLs isn’t possible, I think the other options are Tags as you are using now or adding Hostnames and controlling access via the IP addresses of the nodes. Both would seem to involve manual configuration effort.

Hmm, I see, thanks. I’m not in love with that, but I also don’t see a better solution that doesn’t have the drawbacks you mention, so I’ll keep doing it the manual way. Thanks!