-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathtailscale-acl.hujson
122 lines (118 loc) · 3.42 KB
/
tailscale-acl.hujson
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
// This tailnet's ACLs are maintained in https://github.com/BCNelson/nix-config
// Example/default ACLs for unrestricted connections.
{
// Declare static groups of users beyond those in the identity service.
"groups": {
"group:admin": ["[email protected]"],
"group:nelsonFamily": [
],
"group:gaming": [
]
},
// Declare convenient hostname aliases to use in place of IP addresses.
"hosts": {
"vor": "100.73.83.164",
"vor6": "fd7a:115c:a1e0:ab12:4843:cd96:6249:53a4",
"romeo": "100.76.49.168",
"romeo6": "fd7a:115c:a1e0:ab12:4843:cd96:624c:31a8",
"xray": "100.114.232.151",
"porter-pc": "100.111.54.18",
"sierra": "100.92.32.99",
"whiskey": "100.89.15.100",
"whiskey6": "fd7a:115c:a1e0::ad01:f64"
},
"tagOwners": {
"tag:server": ["[email protected]"],
"tag:client": ["[email protected]"],
"tag:iso": ["[email protected]"]
},
// Access control lists.
"acls": [
// Match absolutely everything.
// Comment this section out if you want to define specific restrictions.
{"action": "accept", "src": ["group:admin"], "dst": ["*:*"]},
// Allow Outgoing syncthing connections
{"action": "accept", "src": ["romeo", "romeo6"], "dst": ["*:22000"]},
// Allow to vor for smb
{"action": "accept", "src": ["group:nelsonFamily"], "dst": ["vor:445"]},
{"action": "accept", "src": ["romeo", "romeo6"], "dst": ["tag:server:22"]},
{"action": "accept", "src": ["autogroup:member"], "dst": ["autogroup:self:22"]},
{"action": "accept", "src": ["group:gaming"], "dst": ["sierra:52450"]},
// Prometheus node exporter
{"action": "accept", "src": ["whiskey", "whiskey6"], "dst": ["tag:server:9100"]},
//Loki
{"action": "accept", "src": ["tag:server"], "dst": ["whiskey:3100", "whiskey6:3100"]}
],
"ssh": [
{
"action": "accept",
"src": ["group:admin"],
"dst": ["tag:server"],
"users": ["autogroup:nonroot", "root"]
},
{
"action": "accept",
"src": ["group:admin"],
"dst": ["tag:client"],
"users": ["autogroup:nonroot", "root"]
},
{ // any user can use Tailscale SSH to connect to their own devices
// in check mode as a root or non-root user
"action": "check",
"src": ["autogroup:member"],
"dst": ["autogroup:self"],
"users": ["autogroup:nonroot"]
},
{
"action": "accept",
"src": ["tag:server"],
"dst": ["tag:server"],
// "users": ["syncoid"]
"users": ["autogroup:nonroot", "root"]
}
],
"tests": [
{
"src": "[email protected]",
"accept": ["tag:server:22"]
},
{
"src": "group:nelsonFamily",
"accept": ["vor:445"],
"deny": ["vor:22"]
},
//Romeo should be able to access vor:22 for backup replication
{
"src": "romeo",
"accept": ["vor:22"],
"deny": ["xray:22", "porter-pc:22"]
},
// Whiskey should be able to access romeo:9002 for prometheus node exporter
{
"src": "whiskey",
"accept": ["romeo:9100", "vor:9100", "tag:server:9100"],
"deny": ["xray:22", "porter-pc:22"]
},
// Romeo should not be able to access node_exporter on whiskey
{
"src": "romeo",
"deny": ["whiskey:9100"]
},
{
"src": "tag:server",
"accept": ["whiskey:3100", "whiskey6:3100"]
}
],
"sshTests": [
{
"src": "[email protected]",
"dst": ["tag:server"],
"accept": ["autogroup:nonroot", "root"]
}
]
}