// This tailnet's ACLs are maintained in https://github.com/c4patino/dotfiles { // Declare host machines "hosts": { "arisu": "100.117.106.23", "kokoro": "100.69.45.111", "chibi": "100.101.224.25", }, // Declare static groups of users. Use autogroups for all users or users with a specific role. "groups": { "group:oasys": [], }, // Define the tags which can be applied to devices and by which users. "tagOwners": { "tag:server": ["autogroup:owner"], }, // Define access control lists for users, groups, autogroups, tags, // Tailscale IP addresses, and subnet ranges. "acls": [ // Allow all connections for owner. { "action": "accept", "src": ["autogroup:owner"], "dst": ["*:*"] }, { "action": "accept", "src": ["group:oasys"], "dst": ["arisu:*"] }, { "action": "accept", "src": ["autogroup:shared"], "dst": ["arisu:25565", "arisu:25566"] } ], // Define attributes for individual nodes within the network. "nodeAttrs": [ { "target": ["c4patino@gmail.com", "tag:server"], "attr": ["drive:access", "drive:share", "funnel"], }, ], // Define access grants for shared file directories. "grants": [ { "src": ["autogroup:owner"], "dst": ["*"], "app": { "tailscale.com/cap/drive": [{ "shares": ["*"], "access": "rw" }], }, }, ], // Define device posture rules requiring devices to meet certain criteria to access parts of your system. "postures": { // Require devices running desktop to have a stable Tailscale version "posture:latestDesktop": [ "node:os IN ['linux', 'macos', 'windows']", "node:tsReleaseTrack == 'stable'", ], // Require devices running mobile to have a stable Tailscale version. "posture:latestMobile": [ "node:os IN ['android', 'ios']", "node:tsReleaseTrack == 'stable'", ], }, // Define users and devices that can use Tailscale SSH. "ssh": [ // Allow owner to ssh into all owned devices { "action": "accept", "src": ["autogroup:owner"], "dst": ["autogroup:self"], "users": ["autogroup:nonroot"], }, // Allow anyone from OASYS to access oasys machines { "action": "check", "src": ["group:oasys"], "dst": ["tag:server"], "users": ["oasys"], }, ], // Test ssh access rules every time they're saved. "sshTests": [ { "src": "c4patino@gmail.com", "dst": ["c4patino@gmail.com"], "accept": ["autogroup:nonroot"], "deny": ["root"], }, // These tests are broken for the moment: https://github.com/tailscale/tailscale/issues/11790 // { // "src": "group:oasys", // "dst": ["tag:server"], // "accept": ["oasys"], // "deny": ["root", "otheruser"], // }, ], }