manifests/attic/policy.hujson

{
  // groups are collections of users having a common scope. A user can be in multiple groups
  // groups cannot be composed of groups
  "groups": {
    "group:hpc-clusters": [
      "ekman",
      "rossby",
    ],
    "group:admin": [
      "jonas.juselius@oceanbox.io",
      "Moritz.Jorg@oceanbox.io",
      "simen.kirkvik@oceanbox.io",
      "stig.r.jensen@oceanbox.io",
      "system-tos",
    ],
    "group:devops": [
      "jonas.juselius@oceanbox.io",
      "Moritz.Jorg@oceanbox.io",
      "stig.r.jensen@oceanbox.io",
      "radovan.bast@oceanbox.io",
      "simen.kirkvik@oceanbox.io",
      "Ole.Tytlandsvik@tromso.serit.no",
    ],
    "group:oceanographer": [
      "frank.gaardsted@oceanbox.io",
      "ole.anders.nost@oceanbox.io",
      "helge.avlesen@oceanbox.io",
      "isa.rosso@oceanbox.io",
      "jonathan.lilly@oceanbox.io",
    ],
    "group:manager": [
      "svenn.hanssen@oceanbox.io",
      "hilde.iversen@oceanbox.io",
    ],
    "group:dev": [],
    "group:intern": [],
  },
  // tagOwners in tailscale is an association between a TAG and the people allowed to set this TAG on a server.
  // This is documented [here](https://tailscale.com/kb/1068/acl-tags#defining-a-tag)
  // and explained [here](https://tailscale.com/blog/rbac-like-it-was-meant-to-be/)
  "tagOwners": {
    "tag:k8s": [ "group:admin" ],
    "tag:hpc": [ "group:admin" ],
  },
  // hosts should be defined using its IP addresses and a subnet mask.
  // to define a single host, use a /32 mask. You cannot use DNS entries here,
  // as they're prone to be hijacked by replacing their IP addresses.
  // see https://github.com/tailscale/tailscale/issues/3800 for more information.
  "hosts": {
    "ingress.ekman.tos": "10.255.241.99/32",
    "ingress.ceph.tos": "10.255.241.10/32",
    "ingress.ceph.vtn": "172.16.239.50/32",
    "ingress.adm.ceph.vtn": "172.16.239.51/32",
    "ingress.oceanbox.tos": "10.255.241.11/32",
    "manage.ekman.tos": "10.255.241.99/32",
    "k8s.oceanbox.tos": "10.255.241.200/32",
    "k8s.ekman.tos": "10.255.241.99/32",
    "k8s.ceph.tos": "10.255.241.29/32",
    "printer.office.tos": "10.132.46.108/32",
    "net.office.tos": "10.132.46.0/24",
    "net.dc.tos": "10.255.241.0/24",
    "net.ceph.tos": "10.255.244.0/24",
    "net.mgmt.tos": "10.255.240.0/24",
    "net.rossby": "172.16.239.0/24",
    "net.mgmt.rossby": "172.16.238.0/24",
    "net.k8s.svc": "10.96.0.0/12",
  },
  "acls": [
    {
      "action": "accept",
      "src": [
        "group:admin",
        "group:devops",
        "group:oceanographer",
        "group:manager",
        "group:dev",
        "group:hpc-clusters",
      ],
      "dst": [
        "mumindalen:0",
        "relay-vtn:0",
        "rossby-manage:22",
        "rossby:22",
        "ekman:22",
        "ekman-manage:22",
      ]
    },
    {
      "action": "accept",
      "src": [ "group:hpc-clusters" ],
      "dst": [
        "net.dc.tos:*",
        "net.mgmt.tos:*",
        "net.ceph.tos:*",
        "net.office.tos:*",
        "net.rossby:*",
        "net.mgmt.rossby:*",
        "net.dc.tos:*",
        "net.k8s.svc:*",
      ]
    },
    {
      "action": "accept",
      "src": [ "group:admin" ],
      "dst": [
         "net.dc.tos:*",
         "net.mgmt.tos:*",
         "net.ceph.tos:*",
         "net.office.tos:*",
         "net.rossby:*",
         "net.mgmt.rossby:*",
         "net.k8s.svc:*",
      ]
    },
    {
      "action": "accept",
      "src": [ "group:devops" ],
      "dst": [
         "k8s.oceanbox.tos:6443",
         "k8s.ekman.tos:4443",
      ]
    },
    {
      "action": "accept",
      "src": [
          "group:admin",
          "group:devops",
          "group:oceanographer",
          "group:manager",
          "group:dev",
      ],
      "dst": [
         "ingress.oceanbox.tos:443",
         "ingress.ekman.tos:443",
         "printer.office.tos:631",
         "10.255.241.99/32:22",
         "10.255.241.100/32:22",
      ]
    },
    {
      "action": "accept",
      "src": [
          "group:admin",
          "group:devops",
          "group:oceanographer",
          "group:manager",
          "group:dev",
      ],
      "dst": [
         "100.64.0.1/24:*",
         "autogroup:internet:*",
      ]
    },
  ]
}