tjo-cloud/network
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

docs: tailscale acl example

Browse source
This commit is contained in:
Tine 2024-11-03 23:06:34 +01:00
parent 63d21650e4
commit 30d762f151
Signed by: mentos1386
SSH key fingerprint: SHA256:MNtTsLbihYaWF8j1fkOHfkKNlnN1JQfxEU/rBU8nCGw
3 changed files with 132 additions and 6 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

18
README.md
View file

@ -43,26 +43,36 @@ __network.tjo.cloud__ establishes Tailscale VPN connection between other network
### 3. Deploy terraform. ### 3. Deploy terraform.
### 4. Manually configure Tailscale. ### 4. Set Password (see bitwarden)
### 5. Setup Tailscale.
Ref: https://github.com/adyanth/openwrt-tailscale-enabler Ref: https://github.com/adyanth/openwrt-tailscale-enabler
``` ```
opkg update opkg update
opkg install iptables-nft kmod-ipt-conntrack kmod-ipt-conntrack-extra kmod-ipt-conntrack-label kmod-ipt-nat kmod-nft-nat opkg install ca-bundle kmod-tun iptables-nft kmod-ipt-conntrack kmod-ipt-conntrack-extra kmod-ipt-conntrack-label kmod-ipt-nat kmod-nft-nat
/etc/init.d/tailscale start
/etc/init.d/tailscale enable
tailscale up --accept-routes --advertise-routes=$IPV4_SUBNET,$IPV6_SUBNET --accept-dns=false --ssh tailscale up --accept-routes --advertise-routes=$IPV4_SUBNET,$IPV6_SUBNET --accept-dns=false --ssh
``` ```
### 5. Configure `NAT`, `DHCP`. ### 6. Configure.
Once tailscale is up and manually configured (see the config files for guide). Once tailscale is up and manually configured (see the config files for guide).
We can use automated way of maintaining config. We can use automated way of maintaining config.
``` ```
just deploy-config nevaroo 10.0.48.0 fd9b:5314:0:3000:: just deploy-config batuu 10.0.16.1 fd9b:5314:0:1000::
just deploy-config jakku 10.0.32.1 fd9b:5314:0:2000::
just deploy-config nevaroo 10.0.48.1 fd9b:5314:0:3000::
``` ```
# TODO # TODO
## Use gitops for tailscale ACL.
Current version is an snapshot in time, more as an example then actual version used.
## IPv6 Connectivity. ## IPv6 Connectivity.
As we assign private ipv6 addresses, we would have to ise ipv6 nat to translate those to real ipv6 addresses. As we assign private ipv6 addresses, we would have to ise ipv6 nat to translate those to real ipv6 addresses.

6
justfile
View file

@ -36,5 +36,7 @@ deploy-config node ipv4_subnet ipv6_subnet:
cat $file | envsubst | tailscale ssh "root@{{node}}-network-tjo-cloud" "cat > /etc/config/$(basename $file)" cat $file | envsubst | tailscale ssh "root@{{node}}-network-tjo-cloud" "cat > /etc/config/$(basename $file)"
done done
echo "Reloading network configuration" echo "Reboot router in 5 seconds..."
tailscale ssh "root@{{node}}-network-tjo-cloud" "/etc/init.d/network reload" sleep 5
echo "Rebooting router..."
tailscale ssh "root@{{node}}-network-tjo-cloud" "reboot"

114
tailscale/policy.hujson Normal file
View file

@ -0,0 +1,114 @@
{
// Declare static groups of users. Use autogroups for all users or users with a specific role.
"groups": {
"group:admin": ["tine.jozelj@tjo.space"],
},
// Define the tags which can be applied to devices and by which users.
"tagOwners": {
// Cloud
"tag:system-tjo-cloud": ["group:admin"],
"tag:network-tjo-cloud": ["group:admin"],
"tag:kubernetes-tjo-cloud": ["group:admin"],
"tag:ingress-tjo-cloud": ["group:admin"],
// Space
"tag:system-tjo-space": ["group:admin"],
},
"autoApprovers": {
"routes": {
// VM Subnets
"10.0.0.0/8": ["tag:network-tjo-cloud"],
"fd9b:5314::/32": ["tag:network-tjo-cloud"],
},
},
// Define access control lists for users, groups, autogroups, tags,
// Tailscale IP addresses, and subnet ranges.
"acls": [
// Own Devices
{
"action": "accept",
"src": ["*"],
"dst": ["autogroup:self:*"],
},
// Between Systems
{
"action": "accept",
"src": ["tag:system-tjo-cloud"],
"dst": ["tag:system-tjo-cloud:*"],
},
{
"action": "accept",
"src": ["tag:system-tjo-space"],
"dst": ["tag:system-tjo-space:*"],
},
// From system.tjo.space to system.tjo.cloud Proxmox Access
{
"action": "accept",
"src": ["tag:system-tjo-space"],
"dst": ["tag:system-tjo-cloud:8006"],
},
// Network to VM Subnets
{
"action": "accept",
"src": ["tag:network-tjo-cloud"],
"dst": [
"10.0.0.0/8:*",
"fd9b:5314::/32:*",
],
},
// Admins Everywhere
{
"action": "accept",
"src": ["group:admin"],
"dst": ["*:*"],
},
],
// Define users and devices that can use Tailscale SSH.
"ssh": [
// Own Devices
{
"action": "check",
"src": ["autogroup:member"],
"dst": ["autogroup:self"],
"users": ["autogroup:nonroot", "root"],
},
// Between Systems
{
"action": "accept",
"src": ["tag:system-tjo-cloud"],
"dst": ["tag:system-tjo-cloud"],
"users": ["autogroup:nonroot", "root"],
},
{
"action": "accept",
"src": ["tag:system-tjo-space"],
"dst": ["tag:system-tjo-space"],
"users": ["autogroup:nonroot", "root"],
},
// Admins to Systems Access
{
"action": "accept",
"src": ["group:admin"],
"dst": [
"tag:system-tjo-space",
"tag:system-tjo-cloud",
"tag:ingress-tjo-cloud",
"tag:network-tjo-cloud",
],
"users": ["autogroup:nonroot", "root"],
},
],
"nodeAttrs": [
{
// Funnel policy, which lets tailnet members control Funnel
// for their own devices.
// Learn more at https://tailscale.com/kb/1223/tailscale-funnel/
"target": ["autogroup:member"],
"attr": ["funnel"],
},
],
}