-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathpolicy.hujson
80 lines (75 loc) · 2.65 KB
/
policy.hujson
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
// This tailnet's ACLs are maintained in https://github.com/kingozone/unraid
// Example/default ACLs for unrestricted connections.
{
// Declare static groups of users. Use autogroups for all users or users with a specific role.
"groups": {
"group:admin": ["[email protected]", "[email protected]"],
},
// Define the tags which can be applied to devices and by which users.
"tagOwners": {
"tag:router": ["autogroup:admin"],
"tag:server": ["autogroup:admin"],
"tag:computer": ["autogroup:admin"],
"tag:mobile": ["autogroup:admin"],
"tag:media": ["autogroup:admin"],
"tag:ssh": ["autogroup:admin"],
"tag:connector": ["autogroup:admin"],
},
// Define access control lists for users, groups, autogroups, tags,
// Tailscale IP addresses, and subnet ranges.
"acls": [
// Allow all connections.
// Comment this section out if you want to define specific restrictions.
{"action": "accept", "src": ["tag:ssh"], "dst": ["tag:ssh:*"]},
{"action": "accept", "src": ["autogroup:admin"], "dst": ["tag:server:*"]},
{"action": "accept", "src": ["autogroup:admin"], "dst": ["tag:router:*"]},
{"action": "accept", "src": ["autogroup:admin"], "dst": ["*:*"]},
],
// Define users and devices that can use Tailscale SSH.
"ssh": [
// Allow all users to SSH into their own devices in check mode.
// Comment this section out if you want to define specific restrictions.
{
"action": "accept",
"src": ["autogroup:admin"],
"dst": ["tag:ssh"],
"users": ["autogroup:admin", "root"],
},
],
"nodeAttrs": [
{
// Funnel policy, which lets tailnet members control Funnel
// for their own devices.
// Learn more at https://tailscale.com/kb/1223/tailscale-funnel/
"target": ["autogroup:member"],
"attr": ["funnel", "nextdns:no-device-info"],
},
{"target": ["100.125.111.25"], "attr": ["funnel"]},
{"target": ["*"], "app": {"tailscale.com/app-connectors": [{
"name": "github",
"connectors": ["tag:computer", "tag:mobile", "tag:server"],
"presetAppID": "github",
}, {
"name": "google-workspace",
"connectors": ["tag:computer", "tag:mobile", "tag:server"],
"presetAppID": "google-workspace",
}, {
"name": "confluence",
"connectors": ["tag:computer", "tag:mobile", "tag:server"],
"presetAppID": "confluence",
{
"name": "server",
"connectors": ["tag:computer", "tag:mobile", "tag:server", "tag:ssh"],
"presetAppID": "servers",
}
}]}},
],
// Test access rules every time they're saved.
// "tests": [
// {
// "src": "[email protected]",
// "accept": ["tag:example"],
// "deny": ["100.101.102.103:443"],
// },
// ],
}