API tools faq
paste
Guest User

Untitled

a guest
Oct 23rd, 2025
9
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 2.36 KB | None | 0 0
raw download clone embed print report
  1. // Example/default ACLs for unrestricted connections.
  2. {
  3. // Declare static groups of users. Use autogroups for all users or users with a specific role.
  4. // "groups": {
  5. // "group:example": ["[email protected]", "[email protected]"],
  6. // },
  7.  
  8. // Define the tags which can be applied to devices and by which users.
  9. // "tagOwners": {
  10. // "tag:example": ["autogroup:admin"],
  11. // },
  12.  
  13. // Define grants that govern access for users, groups, autogroups, tags,
  14. // Tailscale IP addresses, and subnet ranges.
  15. "grants": [
  16. // Allow all connections.
  17. // Comment this section out if you want to define specific restrictions.
  18. {"src": ["*"], "dst": ["*"], "ip": ["*"]},
  19.  
  20. // Allow users in "group:example" to access "tag:example", but only from
  21. // devices that are running macOS and have enabled Tailscale client auto-updating.
  22. // {"src": ["group:example"], "dst": ["tag:example"], "ip": ["*"], "srcPosture":["posture:autoUpdateMac"]},
  23. ],
  24.  
  25. // Define postures that will be applied to all rules without any specific
  26. // srcPosture definition.
  27. // "defaultSrcPosture": [
  28. // "posture:anyMac",
  29. // ],
  30.  
  31. // Define device posture rules requiring devices to meet
  32. // certain criteria to access parts of your system.
  33. // "postures": {
  34. // // Require devices running macOS, a stable Tailscale
  35. // // version and auto update enabled for Tailscale.
  36. // "posture:autoUpdateMac": [
  37. // "node:os == 'macos'",
  38. // "node:tsReleaseTrack == 'stable'",
  39. // "node:tsAutoUpdate",
  40. // ],
  41. // // Require devices running macOS and a stable
  42. // // Tailscale version.
  43. // "posture:anyMac": [
  44. // "node:os == 'macos'",
  45. // "node:tsReleaseTrack == 'stable'",
  46. // ],
  47. // },
  48.  
  49. // Define users and devices that can use Tailscale SSH.
  50. "ssh": [
  51. // Allow all users to SSH into their own devices in check mode.
  52. // Comment this section out if you want to define specific restrictions.
  53. {
  54. "action": "check",
  55. "src": ["autogroup:member"],
  56. "dst": ["autogroup:self"],
  57. "users": ["autogroup:nonroot", "root"],
  58. },
  59. ],
  60. "nodeAttrs": [
  61. {
  62. "target": ["autogroup:member"],
  63. "attr": ["funnel"],
  64. },
  65. ],
  66. // Test access rules every time they're saved.
  67. // "tests": [
  68. // {
  69. // "src": "[email protected]",
  70. // "accept": ["tag:example"],
  71. // "deny": ["100.101.102.103:443"],
  72. // },
  73. // ],
  74. }
  75.  
Advertisement
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!