From 30d762f15100deacd75c9dcbc94b6dab7f1ff936 Mon Sep 17 00:00:00 2001
From: Tine <tine@tjo.space>
Date: Sun, 3 Nov 2024 23:06:34 +0100
Subject: [PATCH] docs: tailscale acl example

---
 README.md               |  18 +++++--
 justfile                |   6 ++-
 tailscale/policy.hujson | 114 ++++++++++++++++++++++++++++++++++++++++
 3 files changed, 132 insertions(+), 6 deletions(-)
 create mode 100644 tailscale/policy.hujson

diff --git a/README.md b/README.md
index 47700ba..13ed07d 100644
--- a/README.md
+++ b/README.md
@@ -43,26 +43,36 @@ __network.tjo.cloud__ establishes Tailscale VPN connection between other network
 
 ### 3. Deploy terraform.
 
-### 4. Manually configure Tailscale.
+### 4. Set Password (see bitwarden)
+
+### 5. Setup Tailscale.
 Ref: https://github.com/adyanth/openwrt-tailscale-enabler
 
 ```
 opkg update
-opkg install iptables-nft kmod-ipt-conntrack kmod-ipt-conntrack-extra kmod-ipt-conntrack-label kmod-ipt-nat kmod-nft-nat
+opkg install ca-bundle kmod-tun iptables-nft kmod-ipt-conntrack kmod-ipt-conntrack-extra kmod-ipt-conntrack-label kmod-ipt-nat kmod-nft-nat
+/etc/init.d/tailscale start
+/etc/init.d/tailscale enable
 tailscale up --accept-routes --advertise-routes=$IPV4_SUBNET,$IPV6_SUBNET --accept-dns=false --ssh
 ```
 
-### 5. Configure `NAT`, `DHCP`.
+### 6. Configure.
 
 Once tailscale is up and manually configured (see the config files for guide).
 We can use automated way of maintaining config.
 
 ```
-just deploy-config nevaroo 10.0.48.0 fd9b:5314:0:3000::
+just deploy-config batuu 10.0.16.1 fd9b:5314:0:1000::
+just deploy-config jakku 10.0.32.1 fd9b:5314:0:2000::
+just deploy-config nevaroo 10.0.48.1 fd9b:5314:0:3000::
 ```
 
 # TODO
 
+## Use gitops for tailscale ACL.
+
+Current version is an snapshot in time, more as an example then actual version used.
+
 ## IPv6 Connectivity.
 
 As we assign private ipv6 addresses, we would have to ise ipv6 nat to translate those to real ipv6 addresses.
diff --git a/justfile b/justfile
index ed51e58..d432944 100644
--- a/justfile
+++ b/justfile
@@ -36,5 +36,7 @@ deploy-config node ipv4_subnet ipv6_subnet:
     cat $file | envsubst | tailscale ssh "root@{{node}}-network-tjo-cloud" "cat > /etc/config/$(basename $file)"
   done
 
-  echo "Reloading network configuration"
-  tailscale ssh "root@{{node}}-network-tjo-cloud" "/etc/init.d/network reload"
+  echo "Reboot router in 5 seconds..."
+  sleep 5
+  echo "Rebooting router..."
+  tailscale ssh "root@{{node}}-network-tjo-cloud" "reboot"
diff --git a/tailscale/policy.hujson b/tailscale/policy.hujson
new file mode 100644
index 0000000..3a268ac
--- /dev/null
+++ b/tailscale/policy.hujson
@@ -0,0 +1,114 @@
+{
+	// Declare static groups of users. Use autogroups for all users or users with a specific role.
+	"groups": {
+		"group:admin": ["tine.jozelj@tjo.space"],
+	},
+
+	// Define the tags which can be applied to devices and by which users.
+	"tagOwners": {
+		// Cloud
+		"tag:system-tjo-cloud":     ["group:admin"],
+		"tag:network-tjo-cloud":    ["group:admin"],
+		"tag:kubernetes-tjo-cloud": ["group:admin"],
+		"tag:ingress-tjo-cloud":    ["group:admin"],
+		// Space
+		"tag:system-tjo-space": ["group:admin"],
+	},
+
+	"autoApprovers": {
+		"routes": {
+			// VM Subnets
+			"10.0.0.0/8":     ["tag:network-tjo-cloud"],
+			"fd9b:5314::/32": ["tag:network-tjo-cloud"],
+		},
+	},
+
+	// Define access control lists for users, groups, autogroups, tags,
+	// Tailscale IP addresses, and subnet ranges.
+	"acls": [
+		// Own Devices
+		{
+			"action": "accept",
+			"src":    ["*"],
+			"dst":    ["autogroup:self:*"],
+		},
+		// Between Systems
+		{
+			"action": "accept",
+			"src":    ["tag:system-tjo-cloud"],
+			"dst":    ["tag:system-tjo-cloud:*"],
+		},
+		{
+			"action": "accept",
+			"src":    ["tag:system-tjo-space"],
+			"dst":    ["tag:system-tjo-space:*"],
+		},
+		// From system.tjo.space to system.tjo.cloud Proxmox Access
+		{
+			"action": "accept",
+			"src":    ["tag:system-tjo-space"],
+			"dst":    ["tag:system-tjo-cloud:8006"],
+		},
+		// Network to VM Subnets
+		{
+			"action": "accept",
+			"src":    ["tag:network-tjo-cloud"],
+			"dst": [
+				"10.0.0.0/8:*",
+				"fd9b:5314::/32:*",
+			],
+		},
+		// Admins Everywhere
+		{
+			"action": "accept",
+			"src":    ["group:admin"],
+			"dst":    ["*:*"],
+		},
+	],
+
+	// Define users and devices that can use Tailscale SSH.
+	"ssh": [
+		// Own Devices
+		{
+			"action": "check",
+			"src":    ["autogroup:member"],
+			"dst":    ["autogroup:self"],
+			"users":  ["autogroup:nonroot", "root"],
+		},
+		// Between Systems
+		{
+			"action": "accept",
+			"src":    ["tag:system-tjo-cloud"],
+			"dst":    ["tag:system-tjo-cloud"],
+			"users":  ["autogroup:nonroot", "root"],
+		},
+		{
+			"action": "accept",
+			"src":    ["tag:system-tjo-space"],
+			"dst":    ["tag:system-tjo-space"],
+			"users":  ["autogroup:nonroot", "root"],
+		},
+		// Admins to Systems Access
+		{
+			"action": "accept",
+			"src":    ["group:admin"],
+			"dst": [
+				"tag:system-tjo-space",
+				"tag:system-tjo-cloud",
+				"tag:ingress-tjo-cloud",
+				"tag:network-tjo-cloud",
+			],
+			"users": ["autogroup:nonroot", "root"],
+		},
+	],
+
+	"nodeAttrs": [
+		{
+			// Funnel policy, which lets tailnet members control Funnel
+			// for their own devices.
+			// Learn more at https://tailscale.com/kb/1223/tailscale-funnel/
+			"target": ["autogroup:member"],
+			"attr":   ["funnel"],
+		},
+	],
+}