diff --git a/hosts/raptus/headscale/acls.nix b/hosts/raptus/headscale/acls.nix
index c648cfd..5d526b0 100644
--- a/hosts/raptus/headscale/acls.nix
+++ b/hosts/raptus/headscale/acls.nix
@@ -19,27 +19,45 @@ in
     name = "headscale-acl.hujson";
     text = builtins.toJSON {
       acls = [
-        (mkAcl [ "tag:client" ] [
-          "tag:client:*"
-          "tag:server:*"
-        ]) # client -> {client, server}
-        (mkAcl [
-          "tag:client"
-          "tag:server"
-        ] [ "tag:backup:${toString options.modules.server.rsync-daemon.port.default}" ])
+        (mkAcl
+          [ "tag:client" ]
+          [
+            "tag:client:*"
+            "tag:server:*"
+          ]
+        ) # client -> {client, server}
+
+        (mkAcl
+          [
+            "tag:client"
+            "tag:server"
+          ]
+          [ "tag:backup:${toString options.modules.server.rsync-daemon.port.default}" ]
+        )
+
+        (mkAcl
+          [
+            "tag:guest"
+          ]
+          [ "paperless.ccnlc.eu:443" "immich.ccnlc.eu:443" ]
+        )
       ];
 
       ssh = [
-        (mkSshAcl [ "tag:client" ] [
-          "tag:server"
-          "tag:client"
-        ] [ "ny" ]) # client -> {client, server}
+        (mkSshAcl [ "tag:client" ]
+          [
+            "tag:server"
+            "tag:client"
+          ]
+          [ "ny" ]
+        ) # client -> {client, server}
       ];
 
       tags = [
         "tag:client"
         "tag:server"
         "tag:backup"
+        "tag:guest"
       ];
 
       tagOwners =