// Example/default ACLs for unrestricted connections. { // Declare static groups of users. Use autogroups for all users or users with a specific role. "groups": { "group:admin": ["acedanger49@gmail.com"], "group:owner": ["acedanger49@gmail.com"], }, // Define access control lists for users, groups, autogroups, tags, // Tailscale IP addresses, and subnet ranges. "acls": [ { "action": "accept", "src": ["tag:client", "tag:server"], "dst": ["tag:golink:*", "tag:server:*"], }, // Allow all connections. // Comment this section out if you want to define specific restrictions. {"action": "accept", "src": ["*"], "dst": ["*:*"]}, ], "hosts": { "ts-io": "100.114.112.100", "ts-svr-office": "100.84.197.41", "ts-vperanda": "100.102.106.71", "ts-wood-surface8": "100.67.131.121", "ts-desktop-pete": "100.102.106.71", "go": "100.112.82.132", }, // Define users and devices that can use Tailscale SSH. "ssh": [ { // any user can use Tailscale SSH to connect to their own devices // in check mode as a root or non-root user "action": "accept", "src": ["tag:client", "tag:server"], "dst": ["tag:server"], "users": ["autogroup:nonroot", "root"], }, { // any user can use Tailscale SSH to connect to their own devices // in check mode as a root or non-root user "action": "check", "src": ["autogroup:member"], "dst": ["autogroup:self"], "users": ["autogroup:nonroot", "root"], }, ], "nodeAttrs": [ { // Funnel policy, which lets tailnet members control Funnel // for their own devices. // Learn more at https://tailscale.com/kb/1223/tailscale-funnel/ "target": ["autogroup:member"], "attr": ["funnel"], }, {"target": ["*"], "app": {"tailscale.com/app-connectors": []}}, ], // Define the tags which can be applied to devices and by which users. "tagOwners": { "tag:golink": ["acedanger49@gmail.com"], "tag:server": ["acedanger49@gmail.com"], "tag:client": ["acedanger49@gmail.com"], "tag:docker": ["acedanger49@gmail.com"], }, "autoapprovers": { "exitNode": ["autogroup:admin"], }, // Test access rules every time they're saved. }