Created
May 2, 2021 04:59
-
-
Save bradfitz/28393fed383cfab97c3ffc378b243aff to your computer and use it in GitHub Desktop.
Tailscale ACL schema WIP
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| import "net" | |
| #Policy | |
| #Policy: { | |
| ACLs: [...#ACLRow] | |
| Groups: #Groups | |
| Hosts: #Hosts | |
| TagOwners: [#TagName]: [...#TagOwner] | |
| Tests: [...#ACLTest] | |
| } | |
| #ACLRow: { | |
| Action: "accept" | |
| Users: [...#ACLRowUser] | |
| Proto?: "sctp" | |
| Ports: [...#ACLRowPort] | |
| } | |
| #ACLRowUser: "*" | #Autogroups | #User | #GroupName | #TagName | |
| #Autogroups: "autogroup:shared" | |
| // Ports are the allowed "ip:port" ranges to permit Users to access. | |
| // The "ip" part of each "ip:port" can be of the form: | |
| // * a literal IP (1.2.3.4) | |
| // * a literal IP + CIDR (1.2.0.0/16) | |
| // * a hostname alias ("host1") | |
| // * a hostname/CIDR ("host1/16") | |
| // * "tag:foo" (for any node running as that tag) | |
| // The "port" part of each "ip:port" can be: | |
| // * a single port (22) | |
| // * comma-separated ports (22,80,443) | |
| // * a port range (8000-8099) | |
| // * or "*" for all | |
| // TODO: this is only validating ports | |
| #ACLRowPort: =~#".*:(\*|\d+-\d+)|\d+(,\d+)*$"# | |
| #Groups: [#GroupName]: [...#User] | |
| #GroupName: =~#"^group:.+"# | |
| #GroupValue: [...string] | |
| #Hosts: [string]: net.IP | |
| #TagName: =~#"^tag:.+"# | |
| #TagOwner: #User | #GroupName | |
| #ACLTest: { | |
| User: string | |
| Allow?: [...#hostport] | |
| Deny?: [...#hostport] | |
| } | |
| #hostport: =~#"^.*:\d+$"# | |
| #User: =~#".*@.*"# // poor regexp for email |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment