{
// Tailscale Tailnet Policy File using Grants
// Define who can assign tags to devices (only you as the owner/admin)
"tagOwners": {
"tag:admin-nodes": ["autogroup:admin"],
"tag:pve-hosts": ["autogroup:admin"],
"tag:pve-backup-servers": ["autogroup:admin"],
"tag:isolated-nodes": ["autogroup:admin", "tag:isolated-nodes"],
"tag:katie": ["autogroup:admin"],
"tag:jack": ["autogroup:admin"],
"tag:sheen-relays": ["autogroup:admin", "tag:sheen-relays"],
"tag:sheen": ["autogroup:admin", "tag:sheen"],
"tag:dukesrd-relays": ["autogroup:admin", "tag:dukesrd-relays"],
"tag:dukesrd": ["autogroup:admin", "tag:dukesrd"],
"tag:osrc-relays": ["autogroup:admin", "tag:osrc-relays"],
"tag:osrc": ["autogroup:admin", "tag:osrc"],
"tag:june-relays": ["autogroup:admin", "tag:june-relays"],
"tag:june": ["autogroup:admin", "tag:june"],
"tag:clabs-net": ["autogroup:admin", "tag:clabs-net"],
"tag:work-clabula": ["autogroup:admin", "tag:work-clabula"],
"tag:accessible": ["autogroup:admin", "tag:accessible"],
"tag:dropshell-backups": ["autogroup:admin", "tag:dropshell-backups"],
},
"grants": [
// 1. Admin nodes have full access to everything on the network
{
"src": ["tag:admin-nodes"],
"dst": [
"tag:admin-nodes",
"tag:pve-hosts",
"tag:pve-backup-servers",
"tag:isolated-nodes",
"tag:katie",
"tag:jack",
"tag:sheen",
"tag:sheen-relays",
"tag:june",
"tag:june-relays",
"tag:osrc",
"tag:osrc-relays",
"tag:dukesrd",
"tag:dukesrd-relays",
"tag:clabs-net",
"tag:work-clabula",
"tag:accessible",
"tag:dropshell-backups",
],
"ip": ["*"],
},
// 2. PVE hosts can reach backup servers (but not other hosts)
{
"src": ["tag:pve-hosts"],
"dst": ["tag:pve-backup-servers", "tag:dropshell-backups"],
"ip": ["*"],
},
// 3. PVE backup servers can reach all hosts (but not other backup servers)
{
"src": ["tag:pve-backup-servers"],
"dst": ["tag:pve-hosts"],
"ip": ["*"],
},
// 4. Katie nodes can only see other katie nodes
{
"src": ["tag:katie"],
"dst": ["tag:katie"],
"ip": ["*"],
},
// 5. Jack nodes can only see other jack nodes
{
"src": ["tag:jack"],
"dst": ["tag:jack"],
"ip": ["*"],
},
// 6. everything can reach accessible and dropshell backups
{
"src": ["*"],
"dst": ["tag:accessible", "tag:dropshell-backups"],
"ip": ["*"],
},
// Relay capability grants
{
"src": ["tag:sheen"],
"dst": ["tag:sheen-relays"],
"app": {"tailscale.com/cap/relay": []},
},
{
"src": ["tag:osrc"],
"dst": ["tag:osrc-relays"],
"app": {"tailscale.com/cap/relay": []},
},
{
"src": ["tag:june"],
"dst": ["tag:june-relays"],
"app": {"tailscale.com/cap/relay": []},
},
{
"src": ["tag:dukesrd"],
"dst": ["tag:dukesrd-relays"],
"app": {"tailscale.com/cap/relay": []},
},
// Direct IP communication within each group
{
"src": ["tag:sheen"],
"dst": ["tag:sheen"],
"ip": ["*"],
},
{
"src": ["tag:june"],
"dst": ["tag:june"],
"ip": ["*"],
},
{
"src": ["tag:osrc"],
"dst": ["tag:osrc"],
"ip": ["*"],
},
{
"src": ["tag:dukesrd"],
"dst": ["tag:dukesrd"],
"ip": ["*"],
},
{
"src": ["tag:clabs-net"],
"dst": ["tag:clabs-net"],
"ip": ["*"],
},
{
"src": ["tag:work-clabula"],
"dst": ["tag:work-clabula"],
"ip": ["*"],
},
],
"ssh": [
{
"action": "accept",
"src": ["tag:admin-nodes"],
"dst": [
"tag:admin-nodes",
"tag:pve-hosts",
"tag:pve-backup-servers",
"tag:isolated-nodes",
"tag:katie",
"tag:jack",
"tag:sheen",
"tag:sheen-relays",
"tag:june",
"tag:june-relays",
"tag:osrc",
"tag:osrc-relays",
"tag:dukesrd",
"tag:dukesrd-relays",
"tag:clabs-net",
"tag:work-clabula",
"tag:accessible",
"tag:dropshell-backups",
],
"users": ["root", "autogroup:nonroot"],
},
{
"action": "accept",
"src": ["tag:pve-hosts", "tag:pve-backup-servers"],
"dst": ["tag:pve-hosts", "tag:pve-backup-servers"],
"users": ["root", "autogroup:nonroot"],
},
{
"action": "accept",
"src": ["tag:katie", "tag:jack"],
"dst": ["tag:katie", "tag:jack"],
"users": ["root", "autogroup:nonroot"],
},
],
"tests": [
// Admin can reach everything
{
"src": "tag:admin-nodes",
"accept": [
"tag:pve-hosts:22",
"tag:pve-backup-servers:22",
"tag:isolated-nodes:443",
"tag:admin-nodes:22",
"tag:katie:22",
"tag:jack:22",
"tag:sheen:22",
"tag:june:22",
"tag:osrc:22",
"tag:dukesrd:22",
],
},
// PVE hosts can reach backups only
{
"src": "tag:pve-hosts",
"accept": ["tag:pve-backup-servers:22"],
"deny": ["tag:pve-hosts:22", "tag:admin-nodes:22", "tag:isolated-nodes:22"],
},
// PVE backup servers can reach hosts only
{
"src": "tag:pve-backup-servers",
"accept": ["tag:pve-hosts:22"],
"deny": ["tag:pve-backup-servers:22", "tag:admin-nodes:22", "tag:isolated-nodes:22"],
},
// Katie nodes can only reach other katie nodes
{
"src": "tag:katie",
"accept": ["tag:katie:22"],
"deny": [
"tag:admin-nodes:22",
"tag:pve-hosts:22",
"tag:jack:22",
"tag:isolated-nodes:22",
],
},
// Jack nodes can only reach other jack nodes
{
"src": "tag:jack",
"accept": ["tag:jack:22"],
"deny": [
"tag:admin-nodes:22",
"tag:pve-hosts:22",
"tag:katie:22",
"tag:isolated-nodes:22",
],
},
// Isolated nodes can't reach anything
{
"src": "tag:isolated-nodes",
"deny": ["tag:admin-nodes:80", "tag:pve-hosts:80", "tag:pve-backup-servers:80"],
},
// Sheen nodes can reach each other, not other groups
{
"src": "tag:sheen",
"accept": ["tag:sheen:22"],
"deny": ["tag:admin-nodes:22", "tag:june:22", "tag:pve-hosts:22"],
},
// June nodes can reach each other, not other groups
{
"src": "tag:june",
"accept": ["tag:june:22"],
"deny": ["tag:admin-nodes:22", "tag:sheen:22", "tag:pve-hosts:22"],
},
// Osrc nodes can reach each other, not other groups
{
"src": "tag:osrc",
"accept": ["tag:osrc:22"],
"deny": ["tag:admin-nodes:22", "tag:sheen:22", "tag:pve-hosts:22"],
},
// Dukesrd nodes can reach each other, not other groups
{
"src": "tag:dukesrd",
"accept": ["tag:dukesrd:22"],
"deny": ["tag:admin-nodes:22", "tag:sheen:22", "tag:pve-hosts:22"],
},
],
"nodeAttrs": [
{"target": ["100.86.87.6"], "attr": ["mullvad"]},
{"target": ["100.68.207.52"], "attr": ["mullvad"]},
],
}