fix: fix headscale acls for routing between tos and vtn

2025-10-07 21:17:32 +02:00
parent c3502e3d5a
commit 949c31a85b
1 changed files with 21 additions and 28 deletions
@@ -92,10 +92,6 @@ configMaps:
          // groups are collections of users having a common scope. A user can be in multiple groups
          // groups cannot be composed of groups
          "groups": {
-            "group:hpc-clusters": [
-              "ekman",
-              "rossby",
-            ],
            "group:admin": [
              "jonas.juselius@oceanbox.io",
              "Moritz.Jorg@oceanbox.io",
@@ -149,11 +145,10 @@ configMaps:
            "printer.office.tos": "10.132.46.108/32",
            "net.office.tos": "10.132.46.0/24",
            "net.dc.tos": "10.255.241.0/24",
-            "net.ceph.tos": "10.255.244.0/24",
+            "net.100gbe.tos": "10.255.244.0/24",
            "net.mgmt.tos": "10.255.240.0/24",
-            "net.rossby": "172.16.239.0/24",
-            "net.mgmt.rossby": "172.16.238.0/24",
-            "net.k8s.svc": "10.96.0.0/12",
+            "net.dc.vtn": "172.16.239.0/24",
+            "net.mgmt.vtn": "172.16.238.0/24",
          },
          "acls": [
            {
@@ -164,29 +159,28 @@ configMaps:
                "group:oceanographer",
                "group:manager",
                "group:dev",
-                "group:hpc-clusters",
              ],
              "dst": [
-                "mumindalen:0",
-                "relay-vtn:0",
-                "rossby-manage:22",
-                "rossby:22",
-                "ekman:22",
-                "ekman-manage:22",
+                "100.64.0.0/24:0",
+                "100.64.0.0/24:22",
              ]
            },
            {
              "action": "accept",
-              "src": [ "group:hpc-clusters" ],
+              "src": [ "ekman", "net.dc.tos" ],
+              "dst": [
+                "net.dc.vtn:*",
+                "100.64.0.0/24:0",
+                "100.64.0.0/24:22",
+              ]
+            },
+            {
+              "action": "accept",
+              "src": [ "rossby", "net.dc.vtn" ],
              "dst": [
                "net.dc.tos:*",
-                "net.mgmt.tos:*",
-                "net.ceph.tos:*",
-                "net.office.tos:*",
-                "net.rossby:*",
-                "net.mgmt.rossby:*",
-                "net.dc.tos:*",
-                "net.k8s.svc:*",
+                "100.64.0.0/24:0",
+                "100.64.0.0/24:22",
              ]
            },
            {
@@ -195,11 +189,10 @@ configMaps:
              "dst": [
                 "net.dc.tos:*",
                 "net.mgmt.tos:*",
-                 "net.ceph.tos:*",
+                 "net.100gbe.tos:*",
                 "net.office.tos:*",
-                 "net.rossby:*",
-                 "net.mgmt.rossby:*",
-                 "net.k8s.svc:*",
+                 "net.dc.vtn:*",
+                 "net.mgmt.vtn:*",
              ]
            },
            {
@@ -237,7 +230,7 @@ configMaps:
                  "group:dev",
              ],
              "dst": [
-                 "100.64.0.1/24:*",
+                 "100.64.0.0/24:*",
                 "autogroup:internet:*",
              ]
            },