@@ -4,20 +4,30 @@ resource "tailscale_acl" "acl" {
44 "tagOwners": {
55 "${ local . tags . server } ": [], // Not used for any ACL yet
66 "${ local . tags . initrd } ": [],
7- "${ local . tags . ssh } ": []
7+ "${ local . tags . ssh } ": [],
8+ "${ local . tags . router } ": [],
9+ "${ local . tags . subnet } ": []
810 },
9- "acls ": [
11+ "grants ": [
1012 {
1113 // Allow all members to connect to any node
12- "action": "accept",
13- "src": [
14- "autogroup:member"
15- ],
16- "dst": [
17- "*:*"
18- ]
14+ "src": [ "autogroup:member" ],
15+ "dst": [ "*" ],
16+ "ip": [ "*" ]
1917 },
18+ {
19+ // Allow routers to connect to any node
20+ "src": [ "${ local . tags . router } " ],
21+ "dst": [ "*" ],
22+ "ip": [ "*" ]
23+ }
2024 ],
25+ "autoApprovers": {
26+ "exitNode": [ "tag:router" ],
27+ "routes": {
28+ "192.168.0.0/16": [ "tag:subnet" ]
29+ }
30+ },
2131 "ssh": [
2232 {
2333 "action": "accept",
@@ -50,7 +60,17 @@ resource "tailscale_acl" "acl" {
5060 "${ local . tags . initrd } :2222",
5161 "100.113.5.10:80"
5262 ]
53- }
63+ },
64+ {
65+ // A router also should be able to access any node
66+ "src": "${ local . tags . router } ",
67+ "allow": [
68+ "${ local . tags . initrd } :2222",
69+ "${ local . tags . ssh } :22",
70+ "${ local . tags . router } :443",
71+ "100.113.5.10:80"
72+ ]
73+ },
5474 ],
5575 "sshTests": [
5676 {
0 commit comments