{
	// Declare static groups of users. Use autogroups for all users or users with a specific role.
	"groups": {
		"group:admin": ["tale"],
		"group:user":    ["tale", "arjun"],
		"group:proxmox": ["tale", "arjun"]
	},

	// Define the tags which can be applied to devices and by which users.
	"tagOwners": {
		"tag:infra": ["group:admin"],
		"tag:hyperv": ["group:admin"],
		"tag:vm": ["group:admin", "group:proxmox"]
	},

	"acls": [
		{
			"action": "accept",
			"src":    ["tag:vm", "tag:infra"],
			"dst":    ["tag:vm:*", "tag:infra:*"]
		},
		//{
		//	"action": "accept",
		//	"src":    ["autogroup:member"],
		//	"dst":    ["autogroup:internet:*"],
		//},
		// Proxmox members have access to all traffic from VMs (including SSH)
		{
			"action": "accept",
			"src":    ["group:proxmox"],
			"dst":    ["tag:vm:*"]
		},

		// Anyone can access VM traffic
		{"action": "accept", "src": ["group:user"], "dst": ["tag:vm:*"]},

		// Admins get to override any destination restrictions
		{
			"action": "accept",
			"src":    ["group:admin"],
			"dst":    ["*:*"]
		},
	],

	"ssh": [
		{
			// Any Proxmox members can SSH into VMs
			"action": "accept",
			"src":    ["group:proxmox"],
			"dst":    ["tag:vm"],
			"users":  ["*"]
		},
		{
			// Any Admin can SSH into infrastructure
			"action": "accept",
			"src":    ["group:admin"],
			"dst":    ["tag:infra"],
			"users":  ["*"]
		}
	],

	// Test access rules every time they're saved.
	// "tests": [
	//  	{
	//  		"src": "alice@example.com",
	//  		"accept": ["tag:example"],
	//  		"deny": ["100.101.102.103:443"],
	//  	},
	// ],
}