42 lines
1.2 KiB
Plaintext
42 lines
1.2 KiB
Plaintext
|
// Example/default ACLs for unrestricted connections.
|
||
|
|
{
|
||
|
|
// Declare static groups of users. Use autogroups for all users or users with a specific role.
|
||
|
|
// "groups": {
|
||
|
|
// "group:example": ["alice@example.com", "bob@example.com"],
|
||
|
|
// },
|
||
|
|
|
||
|
|
// Define the tags which can be applied to devices and by which users.
|
||
|
|
"tagOwners": {
|
||
|
|
"tag:trusted": ["autogroup:admin"],
|
||
|
|
},
|
||
|
|
|
||
|
|
// Define access control lists for users, groups, autogroups, tags,
|
||
|
|
// Tailscale IP addresses, and subnet ranges.
|
||
|
|
"acls": [
|
||
|
|
// Allow all connections.
|
||
|
|
// Comment this section out if you want to define specific restrictions.
|
||
|
|
{"action": "accept", "src": ["*"], "dst": ["*:*"]},
|
||
|
|
],
|
||
|
|
|
||
|
|
// Define users and devices that can use Tailscale SSH.
|
||
|
|
"ssh": [
|
||
|
|
// Allow all users to SSH into their own devices in check mode.
|
||
|
|
// Comment this section out if you want to define specific restrictions.
|
||
|
|
{
|
||
|
|
"action": "check",
|
||
|
|
"src": ["autogroup:member"],
|
||
|
|
"dst": ["autogroup:self"],
|
||
|
|
"users": ["autogroup:nonroot"],
|
||
|
|
},
|
||
|
|
],
|
||
|
|
|
||
|
|
// Test access rules every time they're saved.
|
||
|
|
// "tests": [
|
||
|
|
// {
|
||
|
|
// "src": "alice@example.com",
|
||
|
|
// "accept": ["tag:example"],
|
||
|
|
// "deny": ["100.101.102.103:443"],
|
||
|
|
// },
|
||
|
|
// ],
|
||
|
|
}
|