diff --git a/README.md b/README.md index 14f1efc..f7599b6 100644 --- a/README.md +++ b/README.md @@ -117,113 +117,6 @@ _Note: For the steps below use a service account that has Admin permissions._ 6. Generate an API acess token: you will need to give it a description. The key must be rotated and has a max expiration of 90 days, but can be shortened. This will be your Tailscale api token. -### Setup tailscale ACLs - -Here is an example ACL that does the following: - -- Machines with `tag:app-prod-provisioner-api` can talk to `tag:app-prod-provisioner-nodes` and vice versa. -- Users in `group:app-prod-provisioner-developers` can talk to `tag:app-prod-provisioner-api` and `tag:app-prod-provisioner-nodes` -- `tim.cook@glueops.dev` is part of `group:app-prod-provisioner-developers` -- `tim.cook@glueops.dev` can access their own instances tagged with `tag:tim-cook` however because we are using a SVC Admin account to tag the machines `tim.cook` doesn't actually own the tag itself. - -The goals of this ACL policy are to allow the provisioner API to access "provisioner nodes" via SSH (port 2222 since tailscale SSH takes over port 22). `tim.cook` needs to be able to admistrate provisioner nodes so he is part of `group:app-prod-provisioner-developers` otherwise he can be kept out of this group. `tim.cook` also uses a workspace himself so he needs to have a tag himself. Any user that uses a developer workspace will need their own tag so that this slack workspace bot can assign machines to them (e.g. `tag:tim-cook`). - -When testing new policies/ACLs it's best to just create a separate tailnet/tailscale account for testing. - -```json -{ - "acls": [ - { - "action": "accept", - "dst": [ - "tag:app-prod-provisioner-api:*", - "tag:app-prod-provisioner-nodes:*" - ], - "src": [ - "group:app-prod-provisioner-developers" - ] - }, - { - "action": "accept", - "dst": [ - "tag:app-prod-provisioner-nodes:*" - ], - "src": [ - "tag:app-prod-provisioner-api" - ] - }, - { - "action": "accept", - "dst": [ - "tag:tim-cook:*" - ], - "src": [ - "tim.cook@glueops.dev" - ] - } - ], - "groups": { - "group:app-prod-provisioner-developers": [ - "tim.cook@glueops.dev" - ] - }, - "ssh": [ - { - "action": "check", - "dst": [ - "autogroup:self" - ], - "src": [ - "autogroup:member" - ], - "users": [ - "autogroup:nonroot", - "root" - ] - }, - { - "action": "check", - "dst": [ - "tag:tim-cook" - ], - "src": [ - "autogroup:member", - "autogroup:admin" - ], - "users": [ - "autogroup:nonroot", - "root" - ] - }, - { - "action": "check", - "dst": [ - "tag:app-prod-provisioner-api", - "tag:app-prod-provisioner-nodes" - ], - "src": [ - "group:app-prod-provisioner-developers" - ], - "users": [ - "autogroup:nonroot", - "root" - ] - } - ], - "tagOwners": { - "tag:tim-cook": [ - "autogroup:admin" - ], - "tag:app-prod-provisioner-api": [ - "group:app-prod-provisioner-developers" - ], - "tag:app-prod-provisioner-nodes": [ - "group:app-prod-provisioner-developers" - ] - } -} -``` - # Adding Bot commands The bot is set up with a command handler to process text commands with a prefix of ! i.e. !vm. It currently does not support slash commands. The bot has some built in example commands found in bot/src/commands. To register a new command, create a file command.js in either the bot/src/commands, or command-handler/src/commands with `myCommand.js` being the command you want to register.