-
Notifications
You must be signed in to change notification settings - Fork 1
Expand file tree
/
Copy pathtailscale-acl.hujson
More file actions
130 lines (126 loc) · 3.59 KB
/
Copy pathtailscale-acl.hujson
File metadata and controls
130 lines (126 loc) · 3.59 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
// This tailnet's ACLs are maintained in https://github.com/BCNelson/nix-config
// Example/default ACLs for unrestricted connections.
{
// Declare static groups of users beyond those in the identity service.
"groups": {
"group:admin": ["bradleynelson102@gmail.com"],
"group:nelsonFamily": [
"bradleynelson102@gmail.com",
"cknelson8@gmail.com",
"cwnelson1990@gmail.com"
],
"group:gaming": [
"brennonschow@gmail.com",
"nelson.7.jeffery@gmail.com"
],
"group:familyVPN": ["Clements.Josiah10@gmail.com"]
},
// Declare convenient hostname aliases to use in place of IP addresses.
"hosts": {
"vor": "100.73.83.164",
"vor6": "fd7a:115c:a1e0:ab12:4843:cd96:6249:53a4",
"romeo": "100.76.49.168",
"romeo6": "fd7a:115c:a1e0:ab12:4843:cd96:624c:31a8",
"xray": "100.114.232.151",
"porter-pc": "100.111.54.18",
"sierra": "100.92.32.99",
"whiskey": "100.89.15.100",
"whiskey6": "fd7a:115c:a1e0::ad01:f64"
},
"tagOwners": {
"tag:server": ["bradleynelson102@gmail.com"],
"tag:client": ["bradleynelson102@gmail.com"],
"tag:iso": ["bradleynelson102@gmail.com"]
},
// Access control lists.
"acls": [
// Match absolutely everything.
// Comment this section out if you want to define specific restrictions.
{"action": "accept", "src": ["group:admin"], "dst": ["*:*"]},
// Allow Outgoing syncthing connections
{"action": "accept", "src": ["romeo", "romeo6"], "dst": ["*:22000"]},
// Allow to vor for smb
{"action": "accept", "src": ["group:nelsonFamily"], "dst": ["vor:445"]},
{"action": "accept", "src": ["romeo", "romeo6"], "dst": ["tag:server:22"]},
{"action": "accept", "src": ["autogroup:member"], "dst": ["autogroup:self:22"]},
{"action": "accept", "src": ["group:gaming"], "dst": ["sierra:52450"]},
// Prometheus node exporter
{"action": "accept", "src": ["whiskey", "whiskey6"], "dst": ["tag:server:9100"]},
//Loki
{"action": "accept", "src": ["tag:server"], "dst": ["whiskey:3100", "whiskey6:3100"]}
],
"grants": [
{
"src": ["group:familyVPN"],
"dst": ["autogroup:internet"],
"via": ["vor", "vor6"]
}
],
"ssh": [
{
"action": "accept",
"src": ["group:admin"],
"dst": ["tag:server"],
"users": ["autogroup:nonroot", "root"]
},
{
"action": "accept",
"src": ["group:admin"],
"dst": ["tag:client"],
"users": ["autogroup:nonroot", "root"]
},
{ // any user can use Tailscale SSH to connect to their own devices
// in check mode as a root or non-root user
"action": "check",
"src": ["autogroup:member"],
"dst": ["autogroup:self"],
"users": ["autogroup:nonroot"]
},
{
"action": "accept",
"src": ["tag:server"],
"dst": ["tag:server"],
// "users": ["syncoid"]
"users": ["autogroup:nonroot", "root"]
}
],
"tests": [
{
"src": "bradleynelson102@gmail.com",
"accept": ["tag:server:22"]
},
{
"src": "group:nelsonFamily",
"accept": ["vor:445"],
"deny": ["vor:22"]
},
//Romeo should be able to access vor:22 for backup replication
{
"src": "romeo",
"accept": ["vor:22"],
"deny": ["xray:22", "porter-pc:22"]
},
// Whiskey should be able to access romeo:9002 for prometheus node exporter
{
"src": "whiskey",
"accept": ["romeo:9100", "vor:9100", "tag:server:9100"],
"deny": ["xray:22", "porter-pc:22"]
},
// Romeo should not be able to access node_exporter on whiskey
{
"src": "romeo",
"deny": ["whiskey:9100"]
},
{
"src": "tag:server",
"accept": ["whiskey:3100", "whiskey6:3100"]
}
],
"sshTests": [
{
"src": "bradleynelson102@gmail.com",
"dst": ["tag:server"],
"accept": ["autogroup:nonroot", "root"]
}
]
}