diff --git a/values/headscale/acl.yaml b/values/headscale/acl.yaml new file mode 100644 index 00000000..c8ebe81f --- /dev/null +++ b/values/headscale/acl.yaml @@ -0,0 +1,164 @@ +apiVersion: v1 +data: + policy: | + { + // groups are collections of users having a common scope. A user can be in multiple groups + // groups cannot be composed of groups + "groups": { + "group:admin": [ + "jonas.juselius@oceanbox.io", + "Moritz.Jorg@oceanbox.io", + "simen.kirkvik@oceanbox.io", + "stig.r.jensen@oceanbox.io", + "system-tos", + ], + "group:devops": [ + "jonas.juselius@oceanbox.io", + "Moritz.Jorg@oceanbox.io", + "stig.r.jensen@oceanbox.io", + "radovan.bast@oceanbox.io", + "simen.kirkvik@oceanbox.io", + "Ole.Tytlandsvik@tromso.serit.no", + ], + "group:oceanographer": [ + "frank.gaardsted@oceanbox.io", + "ole.anders.nost@oceanbox.io", + "helge.avlesen@oceanbox.io", + "isa.rosso@oceanbox.io", + "jonathan.lilly@oceanbox.io", + ], + "group:manager": [ + "svenn.hanssen@oceanbox.io", + "hilde.iversen@oceanbox.io", + ], + "group:dev": [], + "group:intern": [], + }, + // tagOwners in tailscale is an association between a TAG and the people allowed to set this TAG on a server. + // This is documented [here](https://tailscale.com/kb/1068/acl-tags#defining-a-tag) + // and explained [here](https://tailscale.com/blog/rbac-like-it-was-meant-to-be/) + "tagOwners": { + "tag:k8s": [ "group:admin" ], + "tag:hpc": [ "group:admin" ], + }, + // hosts should be defined using its IP addresses and a subnet mask. + // to define a single host, use a /32 mask. You cannot use DNS entries here, + // as they're prone to be hijacked by replacing their IP addresses. + // see https://github.com/tailscale/tailscale/issues/3800 for more information. + "hosts": { + "ingress.ekman.tos": "10.255.241.99/32", + "ingress.ceph.tos": "10.255.241.10/32", + "ingress.ceph.vtn": "172.16.239.50/32", + "ingress.adm.ceph.vtn": "172.16.239.51/32", + "ingress.oceanbox.tos": "10.255.241.11/32", + "manage.ekman.tos": "10.255.241.99/32", + "k8s.oceanbox.tos": "10.255.241.200/32", + "k8s.ekman.tos": "10.255.241.99/32", + "k8s.ceph.tos": "10.255.241.29/32", + "printer.office.tos": "10.132.46.108/32", + "net.office.tos": "10.132.46.0/24", + "net.dc.tos": "10.255.241.0/24", + "net.100gbe.tos": "10.255.244.0/24", + "net.mgmt.tos": "10.255.240.0/24", + "net.dc.vtn": "172.16.239.0/24", + "net.mgmt.vtn": "172.16.238.0/24", + }, + "acls": [ + { + "action": "accept", + "src": [ + "group:admin", + "group:devops", + "group:oceanographer", + "group:manager", + "group:dev", + ], + "dst": [ + "100.64.0.0/24:0", + "100.64.0.0/24:22", + ] + }, + { + "action": "accept", + "src": [ "ekman", "net.dc.tos" ], + "dst": [ + "net.dc.vtn:*", + "100.64.0.0/24:0", + "100.64.0.0/24:22", + ] + }, + { + "action": "accept", + "src": [ "rossby", "net.dc.vtn" ], + "dst": [ + "net.dc.tos:*", + "100.64.0.0/24:0", + "100.64.0.0/24:22", + ] + }, + { + "action": "accept", + "src": [ "group:admin" ], + "dst": [ + "net.dc.tos:*", + "net.mgmt.tos:*", + "net.100gbe.tos:*", + "net.office.tos:*", + "net.dc.vtn:*", + "net.mgmt.vtn:*", + ] + }, + { + "action": "accept", + "src": [ "group:devops" ], + "dst": [ + "k8s.oceanbox.tos:6443", + "k8s.ekman.tos:4443", + ] + }, + { + "action": "accept", + "src": [ + "group:admin", + "group:devops", + "group:oceanographer", + "group:manager", + "group:dev", + ], + "dst": [ + "ingress.oceanbox.tos:443", + "ingress.ekman.tos:443", + "printer.office.tos:631", + "10.255.241.99/32:22", + "10.255.241.100/32:22", + ] + }, + { + "action": "accept", + "src": [ + "group:admin", + "group:devops", + "group:oceanographer", + "group:manager", + "group:dev", + ], + "dst": [ + "100.64.0.0/24:*", + "autogroup:internet:*", + ] + }, + ] + } +kind: ConfigMap +metadata: + annotations: + argocd.argoproj.io/tracking-id: headscale:/ConfigMap:headscale/headscale-acl + labels: + app.kubernetes.io/instance: headscale + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: headscale + app.kubernetes.io/version: v0.25.0 + helm.sh/chart: headscale-0.16.0 + name: headscale-acl + namespace: headscale +