mirror of
https://github.com/acedanger/shell.git
synced 2025-12-06 05:40:11 -08:00
added copy of tailscale acl as of commit date/time
This commit is contained in:
Peter Wood
72
tailscale-acl.json
Normal file
72
tailscale-acl.json
Normal file
@@ -0,0 +1,72 @@
|
|||||||
|
// Example/default ACLs for unrestricted connections.
|
||||||
|
{
|
||||||
|
// Declare static groups of users. Use autogroups for all users or users with a specific role.
|
||||||
|
"groups": {
|
||||||
|
"group:admin": ["acedanger49@gmail.com"],
|
||||||
|
"group:owner": ["acedanger49@gmail.com"],
|
||||||
|
},
|
||||||
|
|
||||||
|
// Define access control lists for users, groups, autogroups, tags,
|
||||||
|
// Tailscale IP addresses, and subnet ranges.
|
||||||
|
"acls": [
|
||||||
|
{
|
||||||
|
"action": "accept",
|
||||||
|
"src": ["tag:client", "tag:server"],
|
||||||
|
"dst": ["tag:golink:*", "tag:server:*"],
|
||||||
|
},
|
||||||
|
// Allow all connections.
|
||||||
|
// Comment this section out if you want to define specific restrictions.
|
||||||
|
{"action": "accept", "src": ["*"], "dst": ["*:*"]},
|
||||||
|
],
|
||||||
|
"hosts": {
|
||||||
|
"ts-io": "100.114.112.100",
|
||||||
|
"ts-svr-office": "100.84.197.41",
|
||||||
|
"ts-vperanda": "100.102.106.71",
|
||||||
|
"ts-wood-surface8": "100.67.131.121",
|
||||||
|
"ts-desktop-pete": "100.102.106.71",
|
||||||
|
"go": "100.112.82.132",
|
||||||
|
},
|
||||||
|
// Define users and devices that can use Tailscale SSH.
|
||||||
|
"ssh": [
|
||||||
|
{
|
||||||
|
// any user can use Tailscale SSH to connect to their own devices
|
||||||
|
// in check mode as a root or non-root user
|
||||||
|
"action": "accept",
|
||||||
|
"src": ["tag:client", "tag:server"],
|
||||||
|
"dst": ["tag:server"],
|
||||||
|
"users": ["autogroup:nonroot", "root"],
|
||||||
|
},
|
||||||
|
{
|
||||||
|
// any user can use Tailscale SSH to connect to their own devices
|
||||||
|
// in check mode as a root or non-root user
|
||||||
|
"action": "check",
|
||||||
|
"src": ["autogroup:member"],
|
||||||
|
"dst": ["autogroup:self"],
|
||||||
|
"users": ["autogroup:nonroot", "root"],
|
||||||
|
},
|
||||||
|
],
|
||||||
|
|
||||||
|
"nodeAttrs": [
|
||||||
|
{
|
||||||
|
// Funnel policy, which lets tailnet members control Funnel
|
||||||
|
// for their own devices.
|
||||||
|
// Learn more at https://tailscale.com/kb/1223/tailscale-funnel/
|
||||||
|
"target": ["autogroup:member"],
|
||||||
|
"attr": ["funnel"],
|
||||||
|
},
|
||||||
|
{"target": ["*"], "app": {"tailscale.com/app-connectors": []}},
|
||||||
|
],
|
||||||
|
|
||||||
|
// Define the tags which can be applied to devices and by which users.
|
||||||
|
"tagOwners": {
|
||||||
|
"tag:golink": ["acedanger49@gmail.com"],
|
||||||
|
"tag:server": ["acedanger49@gmail.com"],
|
||||||
|
"tag:client": ["acedanger49@gmail.com"],
|
||||||
|
"tag:docker": ["acedanger49@gmail.com"],
|
||||||
|
},
|
||||||
|
|
||||||
|
"autoapprovers": {
|
||||||
|
"exitNode": ["autogroup:admin"],
|
||||||
|
},
|
||||||
|
// Test access rules every time they're saved.
|
||||||
|
}
|
||||||
Reference in New Issue
Block a user