1
0
mirror of https://github.com/juanfont/headscale.git synced 2024-12-20 19:09:07 +01:00

Update internal docs to the new syntax

This commit is contained in:
Juan Font Alonso 2022-06-08 18:12:47 +02:00
parent 39f03b86c8
commit c47354bdc3

View File

@ -33,7 +33,7 @@ Note: Namespaces will be created automatically when users authenticate with the
Headscale server. Headscale server.
ACLs could be written either on [huJSON](https://github.com/tailscale/hujson) ACLs could be written either on [huJSON](https://github.com/tailscale/hujson)
or Yaml. Check the [test ACLs](../tests/acls) for further information. or YAML. Check the [test ACLs](../tests/acls) for further information.
When registering the servers we will need to add the flag When registering the servers we will need to add the flag
`--advertised-tags=tag:<tag1>,tag:<tag2>`, and the user (namespace) that is `--advertised-tags=tag:<tag1>,tag:<tag2>`, and the user (namespace) that is
@ -83,8 +83,8 @@ Here are the ACL's to implement the same permissions as above:
// boss have access to all servers // boss have access to all servers
{ {
"action": "accept", "action": "accept",
"users": ["group:boss"], "src": ["group:boss"],
"ports": [ "dst": [
"tag:prod-databases:*", "tag:prod-databases:*",
"tag:prod-app-servers:*", "tag:prod-app-servers:*",
"tag:internal:*", "tag:internal:*",
@ -96,8 +96,8 @@ Here are the ACL's to implement the same permissions as above:
// admin have only access to administrative ports of the servers // admin have only access to administrative ports of the servers
{ {
"action": "accept", "action": "accept",
"users": ["group:admin"], "src": ["group:admin"],
"ports": [ "dst": [
"tag:prod-databases:22", "tag:prod-databases:22",
"tag:prod-app-servers:22", "tag:prod-app-servers:22",
"tag:internal:22", "tag:internal:22",
@ -110,8 +110,8 @@ Here are the ACL's to implement the same permissions as above:
// they can only view the applications servers in prod and have no access to databases servers in production // they can only view the applications servers in prod and have no access to databases servers in production
{ {
"action": "accept", "action": "accept",
"users": ["group:dev"], "src": ["group:dev"],
"ports": [ "dst": [
"tag:dev-databases:*", "tag:dev-databases:*",
"tag:dev-app-servers:*", "tag:dev-app-servers:*",
"tag:prod-app-servers:80,443" "tag:prod-app-servers:80,443"
@ -124,37 +124,37 @@ Here are the ACL's to implement the same permissions as above:
// https://github.com/juanfont/headscale/issues/502 // https://github.com/juanfont/headscale/issues/502
{ {
"action": "accept", "action": "accept",
"users": ["group:dev"], "src": ["group:dev"],
"ports": ["10.20.0.0/16:443,5432", "router.internal:0"] "dst": ["10.20.0.0/16:443,5432", "router.internal:0"]
}, },
// servers should be able to talk to database. Database should not be able to initiate connections to // servers should be able to talk to database. Database should not be able to initiate connections to
// applications servers // applications servers
{ {
"action": "accept", "action": "accept",
"users": ["tag:dev-app-servers"], "src": ["tag:dev-app-servers"],
"ports": ["tag:dev-databases:5432"] "dst": ["tag:dev-databases:5432"]
}, },
{ {
"action": "accept", "action": "accept",
"users": ["tag:prod-app-servers"], "src": ["tag:prod-app-servers"],
"ports": ["tag:prod-databases:5432"] "dst": ["tag:prod-databases:5432"]
}, },
// interns have access to dev-app-servers only in reading mode // interns have access to dev-app-servers only in reading mode
{ {
"action": "accept", "action": "accept",
"users": ["group:intern"], "src": ["group:intern"],
"ports": ["tag:dev-app-servers:80,443"] "dst": ["tag:dev-app-servers:80,443"]
}, },
// We still have to allow internal namespaces communications since nothing guarantees that each user have // We still have to allow internal namespaces communications since nothing guarantees that each user have
// their own namespaces. // their own namespaces.
{ "action": "accept", "users": ["boss"], "ports": ["boss:*"] }, { "action": "accept", "src": ["boss"], "dst": ["boss:*"] },
{ "action": "accept", "users": ["dev1"], "ports": ["dev1:*"] }, { "action": "accept", "src": ["dev1"], "dst": ["dev1:*"] },
{ "action": "accept", "users": ["dev2"], "ports": ["dev2:*"] }, { "action": "accept", "src": ["dev2"], "dst": ["dev2:*"] },
{ "action": "accept", "users": ["admin1"], "ports": ["admin1:*"] }, { "action": "accept", "src": ["admin1"], "dst": ["admin1:*"] },
{ "action": "accept", "users": ["intern1"], "ports": ["intern1:*"] } { "action": "accept", "src": ["intern1"], "dst": ["intern1:*"] }
] ]
} }
``` ```