dotfiles/policy.hujson

112 lines
2.7 KiB
Text
Executable file

// This tailnet's ACLs are maintained in https://github.com/c4patino/dotfiles
{
// Declare host machines
"hosts": {
"arisu": "100.117.106.23",
"kokoro": "100.69.45.111",
"chibi": "100.101.224.25",
},
// Declare static groups of users. Use autogroups for all users or users with a specific role.
"groups": {
"group:oasys": [],
},
// Define the tags which can be applied to devices and by which users.
"tagOwners": {
"tag:server": ["autogroup:owner"],
},
// Define access control lists for users, groups, autogroups, tags,
// Tailscale IP addresses, and subnet ranges.
"acls": [
// Allow all connections for owner.
{
"action": "accept",
"src": ["autogroup:owner"],
"dst": ["*:*"]
},
{
"action": "accept",
"src": ["group:oasys"],
"dst": ["arisu:*"]
},
{
"action": "accept",
"src": ["autogroup:shared"],
"dst": ["arisu:25565", "arisu:25566"]
}
],
// Define attributes for individual nodes within the network.
"nodeAttrs": [
{
"target": ["c4patino@gmail.com", "tag:server"],
"attr": ["drive:access", "drive:share", "funnel"],
},
],
// Define access grants for shared file directories.
"grants": [
{
"src": ["autogroup:owner"],
"dst": ["*"],
"app": {
"tailscale.com/cap/drive": [{
"shares": ["*"],
"access": "rw"
}],
},
},
],
// Define device posture rules requiring devices to meet certain criteria to access parts of your system.
"postures": {
// Require devices running desktop to have a stable Tailscale version
"posture:latestDesktop": [
"node:os IN ['linux', 'macos', 'windows']",
"node:tsReleaseTrack == 'stable'",
],
// Require devices running mobile to have a stable Tailscale version.
"posture:latestMobile": [
"node:os IN ['android', 'ios']",
"node:tsReleaseTrack == 'stable'",
],
},
// Define users and devices that can use Tailscale SSH.
"ssh": [
// Allow owner to ssh into all owned devices
{
"action": "accept",
"src": ["autogroup:owner"],
"dst": ["autogroup:self"],
"users": ["autogroup:nonroot"],
},
// Allow anyone from OASYS to access oasys machines
{
"action": "check",
"src": ["group:oasys"],
"dst": ["tag:server"],
"users": ["oasys"],
},
],
// Test ssh access rules every time they're saved.
"sshTests": [
{
"src": "c4patino@gmail.com",
"dst": ["c4patino@gmail.com"],
"accept": ["autogroup:nonroot"],
"deny": ["root"],
},
// These tests are broken for the moment: https://github.com/tailscale/tailscale/issues/11790
// {
// "src": "group:oasys",
// "dst": ["tag:server"],
// "accept": ["oasys"],
// "deny": ["root", "otheruser"],
// },
],
}