Tailscale

Our currently access policies look as follows:

// This tailnet's ACLs are maintained in https://gitlab.com/garuda-linux/infra-nix
{
	// Define access control lists for users, groups, autogroups, tags,
	// Tailscale IP addresses, and subnet ranges
	"acls": [
		// All servers can connect to each other, use exit nodes and oracle-dragon as DNS
		{
			"action": "accept",
			"src":    ["tag:infra"],
			"dst":    ["tag:infra:*", "autogroup:internet:*", "100.86.102.115:*"],
		},
		// Tailscale admins can access every device
		{
			"action": "accept",
			"src":    ["autogroup:admin"],
			"dst":    ["*:*"],
		},
		// Shared out nodes can be accessed on SSH / Mosh ports
		{
			"action": "accept",
			"src":    ["autogroup:shared"],
			"dst":    ["*:22,222-230,666,60000-61000"],
		},
		// Let the chaotic nodes connect to chaotic-v4's Redis (build distribution)
		{
			"action": "accept",
			"src":    ["tag:chaotic-node"],
			"dst":    ["100.75.227.149:22,6379"],
		},
	],
	// Current infra maintainers
	"groups": {
		"group:admins": ["dr460nf1r3@github", "JustTNE@github"],
	},
	// Define a tag to use as destinations
	"tagOwners": {
		// Admins may apply the "infra" tag
		"tag:infra":        ["group:admins"],
		"tag:chaotic-node": ["group:admins"],
	},
}