-
-
Notifications
You must be signed in to change notification settings - Fork 4
/
Copy pathpolicy.hujson
86 lines (82 loc) · 2.25 KB
/
policy.hujson
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
// This tailnet's ACLs are maintained in https://github.com/dr460nf1r3/dr460nixed
{
// Define access control lists for users, groups, autogroups, tags,
// Tailscale IP addresses, and subnet ranges
"acls": [
// All tagged devices can access each other
{
"action": "accept",
"src": ["tag:dragons", "tag:others"],
"dst": ["tag:dragons:*", "tag:others:*"],
},
// All invited members can access devices tagged tag:others
{
"action": "accept",
"src": ["autogroup:shared"],
"dst": ["tag:others:*"],
},
// Admin and clients can use exit nodes
{
"action": "accept",
"src": ["dr460nf1r3@github", "autogroup:member"],
"dst": ["autogroup:internet:*"],
},
// The Tailscale admin can access everything
{
"action": "accept",
"src": ["dr460nf1r3@github"],
"dst": ["*:*"],
},
// Allow scraping metrics via node_exporter
{
"action": "accept",
"src": ["100.86.102.115"],
"dst": ["100.97.58.140:3021"],
},
],
// Allow the usage of Tailscale SSH - enabling VSCode extension
"ssh": [
{
"action": "accept",
"src": ["dr460nf1r3@github"],
"dst": ["dr460nf1r3@github", "tag:dragons", "tag:others", "tag:connector"],
"users": ["nico"],
},
],
// Allow my personal devices to use Mullvad exit nodes
"nodeAttrs": [{
"target": ["dr460nf1r3@github", "tag:dragons"],
"attr": ["mullvad"],
}, {"target": ["*"], "app": {"tailscale.com/app-connectors": [
{
"name": "reddit",
"connectors": ["tag:connector"],
"domains": ["reddit.com", "*.reddit.com"],
},
{
"name": "netflix",
"connectors": ["tag:dragons"],
"domains": ["netflix.com", "*.netflix.com"],
},
]}}, {
// Funnel policy, allowing the use this feature
"target": ["autogroup:member", "tag:dragons", "tag:others"],
"attr": ["funnel"],
}],
// Auto approver for connector nodes
"autoApprovers": {
"routes": {
"0.0.0.0/0": ["tag:connector"],
"::/0": ["tag:connector"],
},
},
// Define tagOwners via autogroups
"tagOwners": {
// Tag for connector nodes
"tag:connector": ["dr460nf1r3@github"],
// Admins own devices with tag:dragons
"tag:dragons": ["dr460nf1r3@github"],
// Admins own devices with tag:others
"tag:others": ["dr460nf1r3@github"],
},
}