peterwood/shell
1
0
Fork 0
mirror of https://github.com/acedanger/shell.git synced 2025-12-06 03:20:12 -08:00
Code Issues 19 Packages Projects Releases Wiki Activity
Files
535c0b3c3990e79e887194b584ceed690379ef38
shell/tailscale-acl.json
Peter Wood 535c0b3c39 added copy of tailscale acl as of commit date/time
2024-11-13 20:29:27 +00:00

73 lines
2.2 KiB
JSON
Raw Blame History

// Example/default ACLs for unrestricted connections.
{
// Declare static groups of users. Use autogroups for all users or users with a specific role.
"groups": {
"group:admin": ["acedanger49@gmail.com"],
"group:owner": ["acedanger49@gmail.com"],
},
// Define access control lists for users, groups, autogroups, tags,
// Tailscale IP addresses, and subnet ranges.
"acls": [
{
"action": "accept",
"src": ["tag:client", "tag:server"],
"dst": ["tag:golink:*", "tag:server:*"],
},
// Allow all connections.
// Comment this section out if you want to define specific restrictions.
{"action": "accept", "src": ["*"], "dst": ["*:*"]},
],
"hosts": {
"ts-io": "100.114.112.100",
"ts-svr-office": "100.84.197.41",
"ts-vperanda": "100.102.106.71",
"ts-wood-surface8": "100.67.131.121",
"ts-desktop-pete": "100.102.106.71",
"go": "100.112.82.132",
},
// Define users and devices that can use Tailscale SSH.
"ssh": [
{
// any user can use Tailscale SSH to connect to their own devices
// in check mode as a root or non-root user
"action": "accept",
"src": ["tag:client", "tag:server"],
"dst": ["tag:server"],
"users": ["autogroup:nonroot", "root"],
},
{
// any user can use Tailscale SSH to connect to their own devices
// in check mode as a root or non-root user
"action": "check",
"src": ["autogroup:member"],
"dst": ["autogroup:self"],
"users": ["autogroup:nonroot", "root"],
},
],
"nodeAttrs": [
{
// Funnel policy, which lets tailnet members control Funnel
// for their own devices.
// Learn more at https://tailscale.com/kb/1223/tailscale-funnel/
"target": ["autogroup:member"],
"attr": ["funnel"],
},
{"target": ["*"], "app": {"tailscale.com/app-connectors": []}},
],
// Define the tags which can be applied to devices and by which users.
"tagOwners": {
"tag:golink": ["acedanger49@gmail.com"],
"tag:server": ["acedanger49@gmail.com"],
"tag:client": ["acedanger49@gmail.com"],
"tag:docker": ["acedanger49@gmail.com"],
},
"autoapprovers": {
"exitNode": ["autogroup:admin"],
},
// Test access rules every time they're saved.
}
Reference in New Issue View Git Blame Copy Permalink