diff --git a/values/headscale/values/values.yaml b/values/headscale/values/values.yaml index e41e949f..94bfc6c0 100644 --- a/values/headscale/values/values.yaml +++ b/values/headscale/values/values.yaml @@ -103,7 +103,6 @@ configMaps: "Moritz.Jorg@oceanbox.io", "simen.kirkvik@oceanbox.io", "stig.r.jensen@oceanbox.io", - "tos-system", ], "group:devops": [ "jonas.juselius@oceanbox.io", @@ -133,6 +132,9 @@ configMaps: "tagOwners": { "tag:k8s": [ "group:admin" ], "tag:hpc": [ "group:admin" ], + "tag:tos-relay": [ "group:admin" ], + "tag:vtn-relay": [ "group:admin" ], + "tag:mumindalen": [ "group:admin" ], }, // hosts should be defined using its IP addresses and a subnet mask. // to define a single host, use a /32 mask. You cannot use DNS entries here, @@ -160,35 +162,33 @@ configMaps: { "action": "accept", "src": [ - "group:admin", - "group:devops", - "group:oceanographer", - "group:manager", - "group:dev", + "group:admin", + "group:devops", + "group:oceanographer", + "group:manager", + "group:dev", ], "dst": [ - "100.64.0.0/24:0", - "100.64.0.0/24:22", + "100.64.0.0/10:0", + "100.64.0.0/10:22", ] }, { "action": "accept", - "src": [ "ekman", "net.dc.tos" ], + "src": [ "tag:tos-relay", "net.dc.tos" ], "dst": [ - "100.64.0.24/32:*", - "100.64.0.10/32:*", - "100.64.0.20/32:*", - "net.dc.vtn:*", + "tag:vtn-relay:0", + "tag:vtn-relay:*", + "net.dc.vtn:*", ] }, { "action": "accept", - "src": [ "vtn-system", "rossby", "net.dc.vtn" ], + "src": [ "tag:vtn-relay", "net.dc.vtn" ], "dst": [ - "100.64.0.36/32:*", - "100.64.0.12/32:*", - "100.64.0.14/32:*", - "net.dc.tos:*", + "tag:tos-relay:0", + "tag:tos-relay:*", + "net.dc.tos:*", ] }, { @@ -214,11 +214,11 @@ configMaps: { "action": "accept", "src": [ - "group:admin", - "group:devops", - "group:oceanographer", - "group:manager", - "group:dev", + "group:admin", + "group:devops", + "group:oceanographer", + "group:manager", + "group:dev", ], "dst": [ "ingress.oceanbox.tos:443", @@ -231,14 +231,43 @@ configMaps: { "action": "accept", "src": [ - "group:admin", - "group:devops", - "group:oceanographer", - "group:manager", - "group:dev", + "tag:mumindalen", + "group:admin", ], "dst": [ - "100.64.0.0/24:*", + "100.64.0.0/10:*", + ] + }, + { + "action": "accept", + "src": [ + "group:admin", + "group:devops", + "group:oceanographer", + "group:manager", + "group:dev", + ], + "dst": [ + "tag:hpc:*", + "tag:mumindalen:*", + "tag:tos-relay:*", + "autogroup:internet:*", + ] + }, + { + "action": "accept", + "src": [ + "group:admin", + "group:devops", + "group:oceanographer", + "group:manager", + "group:dev", + ], + "dst": [ + "tag:hpc:*", + "tag:tos-relay:*", + "100.64.0.2/32:0", + "100.64.0.0/10:*", "autogroup:internet:*", ] },