{ // groups are collections of users having a common scope. A user can be in multiple groups // groups cannot be composed of groups "groups": { "group:hpc-clusters": [ "ekman", "rossby", ], "group:admin": [ "jonas.juselius@oceanbox.io", "Moritz.Jorg@oceanbox.io", "simen.kirkvik@oceanbox.io", "stig.r.jensen@oceanbox.io", "system-tos", ], "group:devops": [ "jonas.juselius@oceanbox.io", "Moritz.Jorg@oceanbox.io", "stig.r.jensen@oceanbox.io", "radovan.bast@oceanbox.io", "simen.kirkvik@oceanbox.io", "Ole.Tytlandsvik@tromso.serit.no", ], "group:oceanographer": [ "frank.gaardsted@oceanbox.io", "ole.anders.nost@oceanbox.io", "helge.avlesen@oceanbox.io", "isa.rosso@oceanbox.io", "jonathan.lilly@oceanbox.io", ], "group:manager": [ "svenn.hanssen@oceanbox.io", "hilde.iversen@oceanbox.io", ], "group:dev": [], "group:intern": [], }, // tagOwners in tailscale is an association between a TAG and the people allowed to set this TAG on a server. // This is documented [here](https://tailscale.com/kb/1068/acl-tags#defining-a-tag) // and explained [here](https://tailscale.com/blog/rbac-like-it-was-meant-to-be/) "tagOwners": { "tag:k8s": [ "group:admin" ], "tag:hpc": [ "group:admin" ], }, // hosts should be defined using its IP addresses and a subnet mask. // to define a single host, use a /32 mask. You cannot use DNS entries here, // as they're prone to be hijacked by replacing their IP addresses. // see https://github.com/tailscale/tailscale/issues/3800 for more information. "hosts": { "ingress.ekman.tos": "10.255.241.99/32", "ingress.ceph.tos": "10.255.241.10/32", "ingress.ceph.vtn": "172.16.239.50/32", "ingress.adm.ceph.vtn": "172.16.239.51/32", "ingress.oceanbox.tos": "10.255.241.11/32", "manage.ekman.tos": "10.255.241.99/32", "k8s.oceanbox.tos": "10.255.241.200/32", "k8s.ekman.tos": "10.255.241.99/32", "k8s.ceph.tos": "10.255.241.29/32", "printer.office.tos": "10.132.46.108/32", "net.office.tos": "10.132.46.0/24", "net.dc.tos": "10.255.241.0/24", "net.ceph.tos": "10.255.244.0/24", "net.mgmt.tos": "10.255.240.0/24", "net.rossby": "172.16.239.0/24", "net.mgmt.rossby": "172.16.238.0/24", "net.k8s.svc": "10.96.0.0/12", }, "acls": [ { "action": "accept", "src": [ "group:admin", "group:devops", "group:oceanographer", "group:manager", "group:dev", "group:hpc-clusters", ], "dst": [ "mumindalen:0", "relay-vtn:0", "rossby-manage:22", "rossby:22", "ekman:22", "ekman-manage:22", ] }, { "action": "accept", "src": [ "group:hpc-clusters" ], "dst": [ "net.dc.tos:*", "net.mgmt.tos:*", "net.ceph.tos:*", "net.office.tos:*", "net.rossby:*", "net.mgmt.rossby:*", "net.dc.tos:*", "net.k8s.svc:*", ] }, { "action": "accept", "src": [ "group:admin" ], "dst": [ "net.dc.tos:*", "net.mgmt.tos:*", "net.ceph.tos:*", "net.office.tos:*", "net.rossby:*", "net.mgmt.rossby:*", "net.k8s.svc:*", ] }, { "action": "accept", "src": [ "group:devops" ], "dst": [ "k8s.oceanbox.tos:6443", "k8s.ekman.tos:4443", ] }, { "action": "accept", "src": [ "group:admin", "group:devops", "group:oceanographer", "group:manager", "group:dev", ], "dst": [ "ingress.oceanbox.tos:443", "ingress.ekman.tos:443", "printer.office.tos:631", "10.255.241.99/32:22", "10.255.241.100/32:22", ] }, { "action": "accept", "src": [ "group:admin", "group:devops", "group:oceanographer", "group:manager", "group:dev", ], "dst": [ "100.64.0.1/24:*", "autogroup:internet:*", ] }, ] }