From 2dcc7e14ef1e6113498c918e495b4f9a9cc76b54 Mon Sep 17 00:00:00 2001 From: Jonas Juselius Date: Sat, 3 May 2025 14:55:34 +0200 Subject: [PATCH] fix: misc headscale policy fixes --- values/headscale/values.yaml | 73 +++++++++++++++++++++++++----------- 1 file changed, 51 insertions(+), 22 deletions(-) diff --git a/values/headscale/values.yaml b/values/headscale/values.yaml index 8227a5b3..af4781b7 100644 --- a/values/headscale/values.yaml +++ b/values/headscale/values.yaml @@ -49,7 +49,7 @@ persistence: config: enabled: true mountPath: /etc/headscale - retain: false + retain: true # storageClass: "" # accessMode: ReadWriteOnce # size: 1Gi @@ -90,12 +90,32 @@ configMaps: // groups are collections of users having a common scope. A user can be in multiple groups // groups cannot be composed of groups "groups": { - "group:admin": [ "jonas.juselius", "moritz.jorg" ], - "group:devops": [ "jonas.juselius", "moritz.jorg", "stig.r.jenssen", "radovan.bast", "simen.kirkvik" ], - "group:oceanographer": [ "frank.gaardsted", "ole.nost", "helge.avlesen" ], - "group:manager": [ "svenn.hanssen", "hilde.iversen" ], - "group:dev": [ "ole.tytlandsvik" ], - "group:intern": [ "ole.tytlandsvik" ] + "group:admin": [ + "jonas.juselius@oceanbox.io", + "moritz.jorg@oceanbox.io", + "system-tos", + ], + "group:devops": [ + "jonas.juselius@oceanbox.io", + "moritz.jorg@oceanbox.io", + "stig.r.jensen@oceanbox.io", + "radovan.bast@oceanbox.io", + "simen.kirkvik@oceanbox.io", + "Ole.Tytlandsvik@tromso.serit.no", + ], + "group:oceanographer": [ + "frank.gaardsted@oceanbox.io", + "ole.anders.nost@oceanbox.io", + "helge.avlesen@oceanbox.io", + "isabella.rosso@oceanbox.io", + "jonathan.lilly@oceanbox.io", + ], + "group:manager": [ + "svenn.hanssen@oceanbox.io", + "hilde.iversen@oceanbox.io", + ], + "group:dev": [], + "group:intern": [] }, // tagOwners in tailscale is an association between a TAG and the people allowed to set this TAG on a server. // This is documented [here](https://tailscale.com/kb/1068/acl-tags#defining-a-tag) @@ -116,27 +136,38 @@ configMaps: "k8s.oceanbox.tos": "10.255.241.200/32", "k8s.ekman.tos": "10.255.241.99/32", "k8s.ceph.tos": "10.255.241.29/32", - "office.tos": "10.132.46.0/24", - "dc.tos": "10.255.241.0/24", - "mgmt.tos": "10.255.240.0/24" + "printer.office.tos": "10.132.46.108/32", + "net.office.tos": "10.132.46.0/24", + "net.dc.tos": "10.255.241.0/24", + "net.mgmt.tos": "10.255.240.0/24" }, "acls": [ + { + "action": "accept", + "src": [ + "group:admin", + "group:devops", + "group:oceanographer", + "group:manager", + "group:dev", + ], + "dst": [ "mumindalen:0" ] + }, { "action": "accept", "src": [ "group:admin" ], "dst": [ - "dc.tos:*", - "mgmt.tos:*", - "office.tos:*", + "net.dc.tos:*", + "net.mgmt.tos:*", + "net.office.tos:*", ] }, { "action": "accept", "src": [ "group:devops" ], "dst": [ - "k8s.oceanbox.tos:4443", + "k8s.oceanbox.tos:6443", "k8s.ekman.tos:4443", - "k8s.ceph.tos:4443", ] }, { @@ -151,7 +182,9 @@ configMaps: "dst": [ "ingress.oceanbox.tos:443", "ingress.ekman.tos:443", - "ingress.ceph.tos:443", + "printer.office.tos:631", + "10.255.241.99/32:22", + "10.255.241.100/32:22", ] }, { @@ -164,14 +197,10 @@ configMaps: "group:dev", ], "dst": [ - "100.64.0.1/24:*", + "100.64.0.1/24:*", + "autogroup:internet:*", ] }, - // { - // "action": "accept", - // "src": ["group:dev"], - // "dst": ["dc.tos:443", "frontend.ekman:0"] - // } ] } dns: