{ // Define the tags which can be applied to devices and by which users. "tagOwners": { "tag:Host": ["autogroup:admin"], "tag:Service": ["autogroup:admin"], "tag:Bridge": ["autogroup:admin"], "tag:Gate": ["autogroup:admin"], "tag:Random": ["autogroup:admin"], "tag:Hidden": ["autogroup:admin"], }, // Define access control lists for users, groups, autogroups, tags, // Tailscale IP addresses, and subnet ranges. "acls": [ // Allow all connections. // {"action": "accept", "src": ["*"], "dst": ["*:*"]}, // Random can {"action": "accept", "src": ["tag:Random"], "dst": ["*:*"]}, // Host can {"action": "accept", "src": ["tag:Host"], "dst": ["tag:Service:*"]}, // Hidden serves {"action": "accept", "src": ["*"], "dst": ["tag:Hidden:*"]}, ], // Define postures that will be applied to all rules without any specific // srcPosture definition. // "defaultSrcPosture": [ // "posture:anyMac", // ], // Define device posture rules requiring devices to meet // certain criteria to access parts of your system. // "postures": { // // Require devices running macOS, a stable Tailscale // // version and auto update enabled for Tailscale. // "posture:autoUpdateMac": [ // "node:os == 'macos'", // "node:tsReleaseTrack == 'stable'", // "node:tsAutoUpdate", // ], // // Require devices running macOS and a stable // // Tailscale version. // "posture:anyMac": [ // "node:os == 'macos'", // "node:tsReleaseTrack == 'stable'", // ], // }, // Define users and devices that can use Tailscale SSH. "ssh": [ { "action": "accept", "src": ["tag:Random"], "dst": ["tag:Host", "tag:Service"], "users": ["autogroup:nonroot", "root"], }, ], // Test access rules every time they're saved. "tests": [ { "src": "tag:Bridge", "accept": ["tag:Hidden:80"], "deny": ["tag:Host:80"], },{ "src": "tag:Random", "accept": ["tag:Bridge:80", "tag:Host:80"], },{ "src": "tag:Host", "deny": ["172.18.42.1:80"], }, ], }