112 lines
2.7 KiB
Text
Executable file
112 lines
2.7 KiB
Text
Executable file
// This tailnet's ACLs are maintained in https://github.com/c4patino/dotfiles
|
|
{
|
|
// Declare host machines
|
|
"hosts": {
|
|
"arisu": "100.117.106.23",
|
|
"kokoro": "100.69.45.111",
|
|
"chibi": "100.101.224.25",
|
|
},
|
|
|
|
// Declare static groups of users. Use autogroups for all users or users with a specific role.
|
|
"groups": {
|
|
"group:oasys": [],
|
|
},
|
|
|
|
// Define the tags which can be applied to devices and by which users.
|
|
"tagOwners": {
|
|
"tag:server": ["autogroup:owner"],
|
|
},
|
|
|
|
// Define access control lists for users, groups, autogroups, tags,
|
|
// Tailscale IP addresses, and subnet ranges.
|
|
"acls": [
|
|
// Allow all connections for owner.
|
|
{
|
|
"action": "accept",
|
|
"src": ["autogroup:owner"],
|
|
"dst": ["*:*"]
|
|
},
|
|
{
|
|
"action": "accept",
|
|
"src": ["group:oasys"],
|
|
"dst": ["arisu:*"]
|
|
},
|
|
{
|
|
"action": "accept",
|
|
"src": ["autogroup:shared"],
|
|
"dst": ["arisu:25565", "arisu:25566"]
|
|
}
|
|
],
|
|
|
|
// Define attributes for individual nodes within the network.
|
|
"nodeAttrs": [
|
|
{
|
|
"target": ["c4patino@gmail.com", "tag:server"],
|
|
"attr": ["drive:access", "drive:share", "funnel"],
|
|
},
|
|
],
|
|
|
|
// Define access grants for shared file directories.
|
|
"grants": [
|
|
{
|
|
"src": ["autogroup:owner"],
|
|
"dst": ["*"],
|
|
"app": {
|
|
"tailscale.com/cap/drive": [{
|
|
"shares": ["*"],
|
|
"access": "rw"
|
|
}],
|
|
},
|
|
},
|
|
],
|
|
|
|
// Define device posture rules requiring devices to meet certain criteria to access parts of your system.
|
|
"postures": {
|
|
// Require devices running desktop to have a stable Tailscale version
|
|
"posture:latestDesktop": [
|
|
"node:os IN ['linux', 'macos', 'windows']",
|
|
"node:tsReleaseTrack == 'stable'",
|
|
],
|
|
|
|
// Require devices running mobile to have a stable Tailscale version.
|
|
"posture:latestMobile": [
|
|
"node:os IN ['android', 'ios']",
|
|
"node:tsReleaseTrack == 'stable'",
|
|
],
|
|
},
|
|
|
|
// Define users and devices that can use Tailscale SSH.
|
|
"ssh": [
|
|
// Allow owner to ssh into all owned devices
|
|
{
|
|
"action": "accept",
|
|
"src": ["autogroup:owner"],
|
|
"dst": ["autogroup:self"],
|
|
"users": ["autogroup:nonroot"],
|
|
},
|
|
// Allow anyone from OASYS to access oasys machines
|
|
{
|
|
"action": "check",
|
|
"src": ["group:oasys"],
|
|
"dst": ["tag:server"],
|
|
"users": ["oasys"],
|
|
},
|
|
],
|
|
|
|
// Test ssh access rules every time they're saved.
|
|
"sshTests": [
|
|
{
|
|
"src": "c4patino@gmail.com",
|
|
"dst": ["c4patino@gmail.com"],
|
|
"accept": ["autogroup:nonroot"],
|
|
"deny": ["root"],
|
|
},
|
|
// These tests are broken for the moment: https://github.com/tailscale/tailscale/issues/11790
|
|
// {
|
|
// "src": "group:oasys",
|
|
// "dst": ["tag:server"],
|
|
// "accept": ["oasys"],
|
|
// "deny": ["root", "otheruser"],
|
|
// },
|
|
],
|
|
}
|