Skip to content

Commit

Permalink
fix(docs): migrating tailscale acl notes to provisioner repo
Browse files Browse the repository at this point in the history
  • Loading branch information
venkatamutyala authored Dec 16, 2024
1 parent 9659d5e commit bd70e2c
Showing 1 changed file with 0 additions and 107 deletions.
107 changes: 0 additions & 107 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -117,113 +117,6 @@ _Note: For the steps below use a service account that has Admin permissions._

6. Generate an API acess token: you will need to give it a description. The key must be rotated and has a max expiration of 90 days, but can be shortened. This will be your Tailscale api token.

### Setup tailscale ACLs

Here is an example ACL that does the following:

- Machines with `tag:app-prod-provisioner-api` can talk to `tag:app-prod-provisioner-nodes` and vice versa.
- Users in `group:app-prod-provisioner-developers` can talk to `tag:app-prod-provisioner-api` and `tag:app-prod-provisioner-nodes`
- `tim.cook@glueops.dev` is part of `group:app-prod-provisioner-developers`
- `tim.cook@glueops.dev` can access their own instances tagged with `tag:tim-cook` however because we are using a SVC Admin account to tag the machines `tim.cook` doesn't actually own the tag itself.

The goals of this ACL policy are to allow the provisioner API to access "provisioner nodes" via SSH (port 2222 since tailscale SSH takes over port 22). `tim.cook` needs to be able to admistrate provisioner nodes so he is part of `group:app-prod-provisioner-developers` otherwise he can be kept out of this group. `tim.cook` also uses a workspace himself so he needs to have a tag himself. Any user that uses a developer workspace will need their own tag so that this slack workspace bot can assign machines to them (e.g. `tag:tim-cook`).

When testing new policies/ACLs it's best to just create a separate tailnet/tailscale account for testing.

```json
{
"acls": [
{
"action": "accept",
"dst": [
"tag:app-prod-provisioner-api:*",
"tag:app-prod-provisioner-nodes:*"
],
"src": [
"group:app-prod-provisioner-developers"
]
},
{
"action": "accept",
"dst": [
"tag:app-prod-provisioner-nodes:*"
],
"src": [
"tag:app-prod-provisioner-api"
]
},
{
"action": "accept",
"dst": [
"tag:tim-cook:*"
],
"src": [
"tim.cook@glueops.dev"
]
}
],
"groups": {
"group:app-prod-provisioner-developers": [
"tim.cook@glueops.dev"
]
},
"ssh": [
{
"action": "check",
"dst": [
"autogroup:self"
],
"src": [
"autogroup:member"
],
"users": [
"autogroup:nonroot",
"root"
]
},
{
"action": "check",
"dst": [
"tag:tim-cook"
],
"src": [
"autogroup:member",
"autogroup:admin"
],
"users": [
"autogroup:nonroot",
"root"
]
},
{
"action": "check",
"dst": [
"tag:app-prod-provisioner-api",
"tag:app-prod-provisioner-nodes"
],
"src": [
"group:app-prod-provisioner-developers"
],
"users": [
"autogroup:nonroot",
"root"
]
}
],
"tagOwners": {
"tag:tim-cook": [
"autogroup:admin"
],
"tag:app-prod-provisioner-api": [
"group:app-prod-provisioner-developers"
],
"tag:app-prod-provisioner-nodes": [
"group:app-prod-provisioner-developers"
]
}
}
```

# Adding Bot commands
The bot is set up with a command handler to process text commands with a prefix of ! i.e. !vm. It currently does not support slash commands.
The bot has some built in example commands found in bot/src/commands. To register a new command, create a file command.js in either the bot/src/commands, or command-handler/src/commands with `myCommand.js` being the command you want to register.

0 comments on commit bd70e2c

Please sign in to comment.