Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix(docs): migrating tailscale acl notes to provisioner repo #110

Closed
wants to merge 1 commit into from
Closed

fix(docs): migrating tailscale acl notes to provisioner repo #110

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
107 changes: 0 additions & 107 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -117,113 +117,6 @@ _Note: For the steps below use a service account that has Admin permissions._

6. Generate an API acess token: you will need to give it a description. The key must be rotated and has a max expiration of 90 days, but can be shortened. This will be your Tailscale api token.

### Setup tailscale ACLs

Here is an example ACL that does the following:

- Machines with `tag:app-prod-provisioner-api` can talk to `tag:app-prod-provisioner-nodes` and vice versa.
- Users in `group:app-prod-provisioner-developers` can talk to `tag:app-prod-provisioner-api` and `tag:app-prod-provisioner-nodes`
- `[email protected]` is part of `group:app-prod-provisioner-developers`
- `[email protected]` can access their own instances tagged with `tag:tim-cook` however because we are using a SVC Admin account to tag the machines `tim.cook` doesn't actually own the tag itself.

The goals of this ACL policy are to allow the provisioner API to access "provisioner nodes" via SSH (port 2222 since tailscale SSH takes over port 22). `tim.cook` needs to be able to admistrate provisioner nodes so he is part of `group:app-prod-provisioner-developers` otherwise he can be kept out of this group. `tim.cook` also uses a workspace himself so he needs to have a tag himself. Any user that uses a developer workspace will need their own tag so that this slack workspace bot can assign machines to them (e.g. `tag:tim-cook`).

When testing new policies/ACLs it's best to just create a separate tailnet/tailscale account for testing.

```json
{
"acls": [
{
"action": "accept",
"dst": [
"tag:app-prod-provisioner-api:*",
"tag:app-prod-provisioner-nodes:*"
],
"src": [
"group:app-prod-provisioner-developers"
]
},
{
"action": "accept",
"dst": [
"tag:app-prod-provisioner-nodes:*"
],
"src": [
"tag:app-prod-provisioner-api"
]
},
{
"action": "accept",
"dst": [
"tag:tim-cook:*"
],
"src": [
"[email protected]"
]
}
],
"groups": {
"group:app-prod-provisioner-developers": [
"[email protected]"
]
},
"ssh": [
{
"action": "check",
"dst": [
"autogroup:self"
],
"src": [
"autogroup:member"
],
"users": [
"autogroup:nonroot",
"root"
]
},
{
"action": "check",
"dst": [
"tag:tim-cook"
],
"src": [
"autogroup:member",
"autogroup:admin"
],
"users": [
"autogroup:nonroot",
"root"
]
},
{
"action": "check",
"dst": [
"tag:app-prod-provisioner-api",
"tag:app-prod-provisioner-nodes"
],
"src": [
"group:app-prod-provisioner-developers"
],
"users": [
"autogroup:nonroot",
"root"
]
}
],
"tagOwners": {
"tag:tim-cook": [
"autogroup:admin"
],
"tag:app-prod-provisioner-api": [
"group:app-prod-provisioner-developers"
],
"tag:app-prod-provisioner-nodes": [
"group:app-prod-provisioner-developers"
]
}
}
```

# Adding Bot commands
The bot is set up with a command handler to process text commands with a prefix of ! i.e. !vm. It currently does not support slash commands.
The bot has some built in example commands found in bot/src/commands. To register a new command, create a file command.js in either the bot/src/commands, or command-handler/src/commands with `myCommand.js` being the command you want to register.
Loading