72 lines
1.6 KiB
JSON
Executable File
72 lines
1.6 KiB
JSON
Executable File
{
|
|
// Declare static groups of users. Use autogroups for all users or users with a specific role.
|
|
"groups": {
|
|
"group:admin": ["tale"],
|
|
"group:user": ["tale", "arjun"],
|
|
"group:proxmox": ["tale", "arjun"]
|
|
},
|
|
|
|
// Define the tags which can be applied to devices and by which users.
|
|
"tagOwners": {
|
|
"tag:infra": ["group:admin"],
|
|
"tag:hyperv": ["group:admin"],
|
|
"tag:vm": ["group:admin", "group:proxmox"]
|
|
},
|
|
|
|
"acls": [
|
|
{
|
|
"action": "accept",
|
|
"src": ["tag:vm", "tag:infra"],
|
|
"dst": ["tag:vm:*", "tag:infra:*"]
|
|
},
|
|
//{
|
|
// "action": "accept",
|
|
// "src": ["autogroup:member"],
|
|
// "dst": ["autogroup:internet:*"],
|
|
//},
|
|
// Proxmox members have access to all traffic from VMs (including SSH)
|
|
{
|
|
"action": "accept",
|
|
"src": ["group:proxmox"],
|
|
"dst": ["tag:vm:*"]
|
|
},
|
|
|
|
// Anyone can access VM traffic
|
|
{"action": "accept", "src": ["group:user"], "dst": ["tag:vm:*"]},
|
|
|
|
// Admins get to override any destination restrictions
|
|
{
|
|
"action": "accept",
|
|
"src": ["group:admin"],
|
|
"dst": ["*:*"]
|
|
},
|
|
],
|
|
|
|
"ssh": [
|
|
{
|
|
// Any Proxmox members can SSH into VMs
|
|
"action": "accept",
|
|
"src": ["group:proxmox"],
|
|
"dst": ["tag:vm"],
|
|
"users": ["*"]
|
|
},
|
|
{
|
|
// Any Admin can SSH into infrastructure
|
|
"action": "accept",
|
|
"src": ["group:admin"],
|
|
"dst": ["tag:infra"],
|
|
"users": ["*"]
|
|
}
|
|
],
|
|
|
|
// Test access rules every time they're saved.
|
|
// "tests": [
|
|
// {
|
|
// "src": "alice@example.com",
|
|
// "accept": ["tag:example"],
|
|
// "deny": ["100.101.102.103:443"],
|
|
// },
|
|
// ],
|
|
}
|
|
|