Added tailscale configuration to dotfiles
Renamed file to correct filename Fixed configuration error Removed empty user string Tests? Fixing syntax errors Fixing syntax errors Added to tests More syntax errors Fixing Almost there Trying something Removed all oasys references
This commit is contained in:
parent
dbae5eb0b3
commit
02a0c33247
2 changed files with 99 additions and 0 deletions
40
.github/workflows/tailscale.yml
vendored
Normal file
40
.github/workflows/tailscale.yml
vendored
Normal file
|
|
@ -0,0 +1,40 @@
|
|||
name: Sync Tailscale ACLs
|
||||
|
||||
on:
|
||||
push:
|
||||
branches: [ "main" ]
|
||||
pull_request:
|
||||
branches: [ "main" ]
|
||||
|
||||
jobs:
|
||||
acls:
|
||||
runs-on: ubuntu-latest
|
||||
|
||||
steps:
|
||||
- uses: actions/checkout@v4
|
||||
|
||||
- name: Fetch version-cache.json
|
||||
uses: actions/cache@v4
|
||||
with:
|
||||
path: ./version-cache.json
|
||||
key: version-cache.json-${{ github.run_id }}
|
||||
restore-keys: |
|
||||
version-cache.json-
|
||||
|
||||
- name: Deploy ACL
|
||||
if: github.event_name == 'push'
|
||||
id: deploy-acl
|
||||
uses: tailscale/gitops-acl-action@v1
|
||||
with:
|
||||
api-key: ${{ secrets.TS_API_KEY }}
|
||||
tailnet: ${{ secrets.TS_TAILNET }}
|
||||
action: apply
|
||||
|
||||
- name: Test ACL
|
||||
if: github.event_name == 'pull_request'
|
||||
id: test-acl
|
||||
uses: tailscale/gitops-acl-action@v1
|
||||
with:
|
||||
api-key: ${{ secrets.TS_API_KEY }}
|
||||
tailnet: ${{ secrets.TS_TAILNET }}
|
||||
action: test
|
||||
59
policy.hujson
Normal file
59
policy.hujson
Normal file
|
|
@ -0,0 +1,59 @@
|
|||
// This tailnet's ACLs are maintained in https://github.com/C4theBomb/dotfiles
|
||||
{
|
||||
// Declare static groups of users. Use autogroups for all users or users with a specific role.
|
||||
"groups": {
|
||||
"group:oasys": [],
|
||||
},
|
||||
|
||||
// Define the tags which can be applied to devices and by which users.
|
||||
"tagOwners": {
|
||||
"tag:oasys": ["autogroup:owner"],
|
||||
},
|
||||
|
||||
// Define access control lists for users, groups, autogroups, tags,
|
||||
// Tailscale IP addresses, and subnet ranges.
|
||||
"acls": [
|
||||
// Allow all connections for owner.
|
||||
{
|
||||
"action": "accept",
|
||||
"src": ["*"],
|
||||
"dst": ["*:*"]
|
||||
},
|
||||
],
|
||||
|
||||
// Define device posture rules requiring devices to meet certain criteria to access parts of your system.
|
||||
"postures": {
|
||||
// Require devices running a stable Tailscale version
|
||||
"posture:latestDesktop": [
|
||||
"node:os IN ['linux', 'macos', 'windows']",
|
||||
"node:tsReleaseTrack == 'stable'",
|
||||
],
|
||||
|
||||
// Require devices running mobile and a stable Tailscale version.
|
||||
"posture:latestMobile": [
|
||||
"node:os IN ['android', 'ios']",
|
||||
"node:tsReleaseTrack == 'stable'",
|
||||
],
|
||||
},
|
||||
|
||||
// Define users and devices that can use Tailscale SSH.
|
||||
"ssh": [
|
||||
// Allow owner to ssh into all owned devices
|
||||
{
|
||||
"action": "accept",
|
||||
"src": ["autogroup:owner"],
|
||||
"dst": ["autogroup:self"],
|
||||
"users": ["autogroup:nonroot"],
|
||||
},
|
||||
],
|
||||
|
||||
// Test access rules every time they're saved.
|
||||
"sshTests": [
|
||||
{
|
||||
"src": "c4patino@gmail.com",
|
||||
"dst": ["c4patino@gmail.com"],
|
||||
"accept": ["autogroup:nonroot"],
|
||||
"deny": ["root"],
|
||||
},
|
||||
],
|
||||
}
|
||||
Loading…
Add table
Add a link
Reference in a new issue