docs: tailscale acl example

2024-11-03 23:06:34 +01:00 · 2024-11-03 23:06:34 +01:00 · 30d762f151
commit 30d762f151
parent 63d21650e4
3 changed files with 132 additions and 6 deletions
--- a/README.md
+++ b/README.md
@ -43,26 +43,36 @@ __network.tjo.cloud__ establishes Tailscale VPN connection between other network

 ### 3. Deploy terraform.

-### 4. Manually configure Tailscale.
+### 4. Set Password (see bitwarden)
+
+### 5. Setup Tailscale.
 Ref: https://github.com/adyanth/openwrt-tailscale-enabler

 ```
 opkg update
-opkg install iptables-nft kmod-ipt-conntrack kmod-ipt-conntrack-extra kmod-ipt-conntrack-label kmod-ipt-nat kmod-nft-nat
+opkg install ca-bundle kmod-tun iptables-nft kmod-ipt-conntrack kmod-ipt-conntrack-extra kmod-ipt-conntrack-label kmod-ipt-nat kmod-nft-nat
+/etc/init.d/tailscale start
+/etc/init.d/tailscale enable
 tailscale up --accept-routes --advertise-routes=$IPV4_SUBNET,$IPV6_SUBNET --accept-dns=false --ssh
 ```

-### 5. Configure `NAT`, `DHCP`.
+### 6. Configure.

 Once tailscale is up and manually configured (see the config files for guide).
 We can use automated way of maintaining config.

 ```
-just deploy-config nevaroo 10.0.48.0 fd9b:5314:0:3000::
+just deploy-config batuu 10.0.16.1 fd9b:5314:0:1000::
+just deploy-config jakku 10.0.32.1 fd9b:5314:0:2000::
+just deploy-config nevaroo 10.0.48.1 fd9b:5314:0:3000::
 ```

 # TODO

+## Use gitops for tailscale ACL.
+
+Current version is an snapshot in time, more as an example then actual version used.
+
 ## IPv6 Connectivity.

 As we assign private ipv6 addresses, we would have to ise ipv6 nat to translate those to real ipv6 addresses.
--- a/6
+++ b/6
@ -36,5 +36,7 @@ deploy-config node ipv4_subnet ipv6_subnet:
    cat $file | envsubst | tailscale ssh "root@{{node}}-network-tjo-cloud" "cat > /etc/config/$(basename $file)"
  done

-  echo "Reloading network configuration"
-  tailscale ssh "root@{{node}}-network-tjo-cloud" "/etc/init.d/network reload"
+  echo "Reboot router in 5 seconds..."
+  sleep 5
+  echo "Rebooting router..."
+  tailscale ssh "root@{{node}}-network-tjo-cloud" "reboot"
--- a/tailscale/policy.hujson
+++ b/tailscale/policy.hujson
@ -0,0 +1,114 @@
+{
+	// Declare static groups of users. Use autogroups for all users or users with a specific role.
+	"groups": {
+		"group:admin": ["tine.jozelj@tjo.space"],
+	},
+
+	// Define the tags which can be applied to devices and by which users.
+	"tagOwners": {
+		// Cloud
+		"tag:system-tjo-cloud":     ["group:admin"],
+		"tag:network-tjo-cloud":    ["group:admin"],
+		"tag:kubernetes-tjo-cloud": ["group:admin"],
+		"tag:ingress-tjo-cloud":    ["group:admin"],
+		// Space
+		"tag:system-tjo-space": ["group:admin"],
+	},
+
+	"autoApprovers": {
+		"routes": {
+			// VM Subnets
+			"10.0.0.0/8":     ["tag:network-tjo-cloud"],
+			"fd9b:5314::/32": ["tag:network-tjo-cloud"],
+		},
+	},
+
+	// Define access control lists for users, groups, autogroups, tags,
+	// Tailscale IP addresses, and subnet ranges.
+	"acls": [
+		// Own Devices
+		{
+			"action": "accept",
+			"src":    ["*"],
+			"dst":    ["autogroup:self:*"],
+		},
+		// Between Systems
+		{
+			"action": "accept",
+			"src":    ["tag:system-tjo-cloud"],
+			"dst":    ["tag:system-tjo-cloud:*"],
+		},
+		{
+			"action": "accept",
+			"src":    ["tag:system-tjo-space"],
+			"dst":    ["tag:system-tjo-space:*"],
+		},
+		// From system.tjo.space to system.tjo.cloud Proxmox Access
+		{
+			"action": "accept",
+			"src":    ["tag:system-tjo-space"],
+			"dst":    ["tag:system-tjo-cloud:8006"],
+		},
+		// Network to VM Subnets
+		{
+			"action": "accept",
+			"src":    ["tag:network-tjo-cloud"],
+			"dst": [
+				"10.0.0.0/8:*",
+				"fd9b:5314::/32:*",
+			],
+		},
+		// Admins Everywhere
+		{
+			"action": "accept",
+			"src":    ["group:admin"],
+			"dst":    ["*:*"],
+		},
+	],
+
+	// Define users and devices that can use Tailscale SSH.
+	"ssh": [
+		// Own Devices
+		{
+			"action": "check",
+			"src":    ["autogroup:member"],
+			"dst":    ["autogroup:self"],
+			"users":  ["autogroup:nonroot", "root"],
+		},
+		// Between Systems
+		{
+			"action": "accept",
+			"src":    ["tag:system-tjo-cloud"],
+			"dst":    ["tag:system-tjo-cloud"],
+			"users":  ["autogroup:nonroot", "root"],
+		},
+		{
+			"action": "accept",
+			"src":    ["tag:system-tjo-space"],
+			"dst":    ["tag:system-tjo-space"],
+			"users":  ["autogroup:nonroot", "root"],
+		},
+		// Admins to Systems Access
+		{
+			"action": "accept",
+			"src":    ["group:admin"],
+			"dst": [
+				"tag:system-tjo-space",
+				"tag:system-tjo-cloud",
+				"tag:ingress-tjo-cloud",
+				"tag:network-tjo-cloud",
+			],
+			"users": ["autogroup:nonroot", "root"],
+		},
+	],
+
+	"nodeAttrs": [
+		{
+			// Funnel policy, which lets tailnet members control Funnel
+			// for their own devices.
+			// Learn more at https://tailscale.com/kb/1223/tailscale-funnel/
+			"target": ["autogroup:member"],
+			"attr":   ["funnel"],
+		},
+	],
+}