79 lines
2.1 KiB
JSON
79 lines
2.1 KiB
JSON
{
|
|
// Define the tags which can be applied to devices and by which users.
|
|
"tagOwners": {
|
|
"tag:Host": ["autogroup:admin"],
|
|
"tag:Service": ["autogroup:admin"],
|
|
"tag:Bridge": ["autogroup:admin"],
|
|
"tag:Gate": ["autogroup:admin"],
|
|
"tag:Random": ["autogroup:admin"],
|
|
"tag:Hidden": ["autogroup:admin"],
|
|
},
|
|
|
|
// Define access control lists for users, groups, autogroups, tags,
|
|
// Tailscale IP addresses, and subnet ranges.
|
|
"acls": [
|
|
// Allow all connections.
|
|
// {"action": "accept", "src": ["*"], "dst": ["*:*"]},
|
|
|
|
// Random can
|
|
{"action": "accept", "src": ["tag:Random"], "dst": ["*:*"]},
|
|
|
|
// Host can
|
|
{"action": "accept", "src": ["tag:Host"], "dst": ["tag:Service:*"]},
|
|
|
|
// Hidden serves
|
|
{"action": "accept", "src": ["*"], "dst": ["tag:Hidden:*"]},
|
|
|
|
],
|
|
|
|
// Define postures that will be applied to all rules without any specific
|
|
// srcPosture definition.
|
|
// "defaultSrcPosture": [
|
|
// "posture:anyMac",
|
|
// ],
|
|
|
|
// Define device posture rules requiring devices to meet
|
|
// certain criteria to access parts of your system.
|
|
// "postures": {
|
|
// // Require devices running macOS, a stable Tailscale
|
|
// // version and auto update enabled for Tailscale.
|
|
// "posture:autoUpdateMac": [
|
|
// "node:os == 'macos'",
|
|
// "node:tsReleaseTrack == 'stable'",
|
|
// "node:tsAutoUpdate",
|
|
// ],
|
|
// // Require devices running macOS and a stable
|
|
// // Tailscale version.
|
|
// "posture:anyMac": [
|
|
// "node:os == 'macos'",
|
|
// "node:tsReleaseTrack == 'stable'",
|
|
// ],
|
|
// },
|
|
|
|
// Define users and devices that can use Tailscale SSH.
|
|
"ssh": [
|
|
// Allow all users to SSH into their own devices in check mode.
|
|
// Comment this section out if you want to define specific restrictions.
|
|
{
|
|
"action": "accept",
|
|
"src": ["tag:Random"],
|
|
"dst": ["autogroup:taged"],
|
|
"users": ["autogroup:nonroot", "root"],
|
|
},
|
|
],
|
|
|
|
// Test access rules every time they're saved.
|
|
"tests": [
|
|
{
|
|
"src": "tag:Bridge",
|
|
"accept": ["tag:Random:80"],
|
|
"deny": ["tag:Host:80"],
|
|
},
|
|
{
|
|
"src": "tag:Random",
|
|
"accept": ["tag:Bridge:80", "tag:Host:80"],
|
|
},
|
|
],
|
|
}
|
|
|