fix: misc headscale policy fixes

values/headscale/values.yaml

@@ -49,7 +49,7 @@ persistence:
   config:
     enabled: true
     mountPath: /etc/headscale
-    retain: false
+    retain: true
     # storageClass: ""
     # accessMode: ReadWriteOnce
     # size: 1Gi
@@ -90,12 +90,32 @@ configMaps:
           // groups are collections of users having a common scope. A user can be in multiple groups
           // groups cannot be composed of groups
           "groups": {
-            "group:admin": [ "jonas.juselius", "moritz.jorg" ],
+            "group:admin": [
-            "group:devops": [ "jonas.juselius", "moritz.jorg", "stig.r.jenssen", "radovan.bast", "simen.kirkvik" ],
+              "jonas.juselius@oceanbox.io",
-            "group:oceanographer": [ "frank.gaardsted", "ole.nost", "helge.avlesen" ],
+              "moritz.jorg@oceanbox.io",
-            "group:manager": [ "svenn.hanssen", "hilde.iversen" ],
+              "system-tos",
-            "group:dev": [ "ole.tytlandsvik" ],
+            ],
-            "group:intern": [ "ole.tytlandsvik" ]
+            "group:devops": [
+              "jonas.juselius@oceanbox.io",
+              "moritz.jorg@oceanbox.io",
+              "stig.r.jensen@oceanbox.io",
+              "radovan.bast@oceanbox.io",
+              "simen.kirkvik@oceanbox.io",
+              "Ole.Tytlandsvik@tromso.serit.no",
+            ],
+            "group:oceanographer": [
+              "frank.gaardsted@oceanbox.io",
+              "ole.anders.nost@oceanbox.io",
+              "helge.avlesen@oceanbox.io",
+              "isabella.rosso@oceanbox.io",
+              "jonathan.lilly@oceanbox.io",
+            ],
+            "group:manager": [
+              "svenn.hanssen@oceanbox.io",
+              "hilde.iversen@oceanbox.io",
+            ],
+            "group:dev": [],
+            "group:intern": []
           },
           // tagOwners in tailscale is an association between a TAG and the people allowed to set this TAG on a server.
           // This is documented [here](https://tailscale.com/kb/1068/acl-tags#defining-a-tag)
@@ -116,27 +136,38 @@ configMaps:
             "k8s.oceanbox.tos": "10.255.241.200/32",
             "k8s.ekman.tos": "10.255.241.99/32",
             "k8s.ceph.tos": "10.255.241.29/32",
-            "office.tos": "10.132.46.0/24",
+            "printer.office.tos": "10.132.46.108/32",
-            "dc.tos": "10.255.241.0/24",
+            "net.office.tos": "10.132.46.0/24",
-            "mgmt.tos": "10.255.240.0/24"
+            "net.dc.tos": "10.255.241.0/24",
+            "net.mgmt.tos": "10.255.240.0/24"
           },
           "acls": [
+            {
+              "action": "accept",
+              "src": [
+                "group:admin",
+                "group:devops",
+                "group:oceanographer",
+                "group:manager",
+                "group:dev",
+              ],
+              "dst": [ "mumindalen:0" ]
+            },
             {
               "action": "accept",
               "src": [ "group:admin" ],
               "dst": [
-                 "dc.tos:*",
+                 "net.dc.tos:*",
-                 "mgmt.tos:*",
+                 "net.mgmt.tos:*",
-                 "office.tos:*",
+                 "net.office.tos:*",
               ]
             },
             {
               "action": "accept",
               "src": [ "group:devops" ],
               "dst": [
-                 "k8s.oceanbox.tos:4443",
+                 "k8s.oceanbox.tos:6443",
                  "k8s.ekman.tos:4443",
-                 "k8s.ceph.tos:4443",
               ]
             },
             {
@@ -151,7 +182,9 @@ configMaps:
               "dst": [
                  "ingress.oceanbox.tos:443",
                  "ingress.ekman.tos:443",
-                 "ingress.ceph.tos:443",
+                 "printer.office.tos:631",
+                 "10.255.241.99/32:22",
+                 "10.255.241.100/32:22",
               ]
             },
             {
@@ -165,13 +198,9 @@ configMaps:
               ],
               "dst": [
                  "100.64.0.1/24:*",
+                 "autogroup:internet:*",
               ]
             },
-            // {
-              // "action": "accept",
-              // "src": ["group:dev"],
-              // "dst": ["dc.tos:443", "frontend.ekman:0"]
-            // }
           ]
         }
   dns: