2023-02-02 14:45:14 +00:00
|
|
|
// This file is managed in the nixos-config repo
|
|
|
|
|
{
|
|
|
|
|
// Declare static groups of users beyond those in the identity service.
|
|
|
|
|
"groups": {
|
|
|
|
|
"group:admins": ["DarkKirb@github"]
|
|
|
|
|
},
|
|
|
|
|
|
|
|
|
|
// Access control lists.
|
|
|
|
|
"acls": [
|
2023-02-02 19:15:16 +00:00
|
|
|
// Allow DNS access to the DNS servers
|
|
|
|
|
{
|
|
|
|
|
"action": "accept",
|
|
|
|
|
"src": ["*"],
|
|
|
|
|
"dst": ["tag:dnsserver:53"]
|
|
|
|
|
},
|
2023-02-02 19:23:56 +00:00
|
|
|
// Allow ssh access to build devices
|
|
|
|
|
{
|
|
|
|
|
"action": "accept",
|
2023-02-09 07:37:15 +00:00
|
|
|
"src": ["*"],
|
2023-02-02 19:23:56 +00:00
|
|
|
"dst": ["tag:buildserver:22"]
|
|
|
|
|
},
|
|
|
|
|
// Allow all development devices to connect via ssh
|
|
|
|
|
{
|
|
|
|
|
"action": "accept",
|
|
|
|
|
"src": ["tag:devDevice"],
|
|
|
|
|
"dst": ["*:22"]
|
2023-02-02 20:31:50 +00:00
|
|
|
},
|
|
|
|
|
|
|
|
|
|
// http servers running on the servers can be accessed
|
|
|
|
|
{
|
|
|
|
|
"action": "accept",
|
|
|
|
|
"src": ["*"],
|
|
|
|
|
"dst": ["tag:server:80", "tag:server:443"]
|
|
|
|
|
},
|
|
|
|
|
|
|
|
|
|
// members can access email server
|
|
|
|
|
{
|
|
|
|
|
"action": "accept",
|
2023-02-09 07:37:15 +00:00
|
|
|
"src": ["*"],
|
2023-02-02 20:31:50 +00:00
|
|
|
"dst": [
|
2023-02-02 20:36:03 +00:00
|
|
|
"tag:nixos-8gb-fsn1-1:25", // SMTP
|
|
|
|
|
"tag:nixos-8gb-fsn1-1:110", // POP3
|
|
|
|
|
"tag:nixos-8gb-fsn1-1:143", // IMAP
|
|
|
|
|
"tag:nixos-8gb-fsn1-1:465", // Submission
|
|
|
|
|
"tag:nixos-8gb-fsn1-1:587", // SMTPS
|
|
|
|
|
"tag:nixos-8gb-fsn1-1:993", // IMAPS
|
|
|
|
|
"tag:nixos-8gb-fsn1-1:995" // POP3S
|
2023-02-02 20:31:50 +00:00
|
|
|
]
|
|
|
|
|
},
|
|
|
|
|
|
|
|
|
|
// Prometheus scrapers
|
|
|
|
|
{
|
|
|
|
|
"action": "accept",
|
|
|
|
|
"src": ["tag:nixos-8gb-fsn1-1"],
|
|
|
|
|
"dst": [
|
|
|
|
|
"*:9100", // node exporter
|
|
|
|
|
"*:28183",
|
2023-02-03 20:03:03 +00:00
|
|
|
"*:41115", // promtail
|
2023-02-02 20:31:50 +00:00
|
|
|
"tag:dnsserver:9119", // bind
|
|
|
|
|
"tag:nixos-8gb-fsn1-1:9000", // matrix mediaa repo
|
|
|
|
|
"tag:nas:9102", // statsd-exporter
|
|
|
|
|
"tag:nixos-8gb-fsn1-1:3100", // loki
|
|
|
|
|
"tag:server:9187", // postgres
|
|
|
|
|
"tag:nutty-noon:9187"
|
|
|
|
|
]
|
|
|
|
|
},
|
|
|
|
|
|
|
|
|
|
// postgres and redis
|
|
|
|
|
{
|
|
|
|
|
"action": "accept",
|
|
|
|
|
"src": ["tag:instance-20221213-1915"],
|
|
|
|
|
"dst": ["tag:nixos-8gb-fsn1-1:5432", "tag:nixos-8gb-fsn1-1:53538"]
|
|
|
|
|
},
|
|
|
|
|
|
|
|
|
|
// syncthing
|
|
|
|
|
{
|
|
|
|
|
"action": "accept",
|
|
|
|
|
"src": ["tag:syncthing"],
|
|
|
|
|
"dst": ["tag:syncthing:22000"]
|
|
|
|
|
},
|
|
|
|
|
// syncthing admin panel, cups
|
|
|
|
|
{
|
|
|
|
|
"action": "accept",
|
|
|
|
|
"src": ["tag:devDevice"],
|
2023-05-29 19:01:31 +00:00
|
|
|
"dst": ["tag:nas:8384", "tag:nas:631", "tag:ipfs:5001"]
|
2023-04-08 18:53:20 +00:00
|
|
|
},
|
2023-04-08 18:52:11 +00:00
|
|
|
// Woodpecker agents
|
|
|
|
|
{
|
|
|
|
|
"action": "accept",
|
2023-04-09 14:34:13 +00:00
|
|
|
"src": ["tag:woodpeckerRunner"],
|
2023-04-08 18:52:11 +00:00
|
|
|
"dst": ["tag:nas:9000"]
|
2023-04-18 18:28:10 +00:00
|
|
|
},
|
|
|
|
|
// Mautrix bridges
|
|
|
|
|
{
|
|
|
|
|
"action": "accept",
|
|
|
|
|
"src": ["tag:nas"],
|
|
|
|
|
"dst": [
|
|
|
|
|
"tag:instance-20221213-1915:29320", // mautrix-discord
|
|
|
|
|
"tag:instance-20221213-1915:29328", // mautrix-signal
|
|
|
|
|
"tag:instance-20221213-1915:29317", // mautrix-telegram
|
2023-05-29 19:01:31 +00:00
|
|
|
"tag:instance-20221213-1915:29318" // mautrix-whatsapp
|
2023-04-18 18:28:10 +00:00
|
|
|
]
|
2023-05-29 19:01:31 +00:00
|
|
|
},
|
|
|
|
|
// IPFS
|
|
|
|
|
{
|
|
|
|
|
"action": "accept",
|
|
|
|
|
"src": ["tag:ipfs"],
|
|
|
|
|
"dst": ["tag:ipfs:4001"]
|
2023-04-08 18:52:11 +00:00
|
|
|
}
|
2023-02-02 19:15:16 +00:00
|
|
|
],
|
|
|
|
|
|
|
|
|
|
"tagOwners": {
|
|
|
|
|
"tag:instance-20221213-1915": ["DarkKirb@github"],
|
|
|
|
|
"tag:nixos-8gb-fsn1-1": ["DarkKirb@github"],
|
|
|
|
|
"tag:nas": ["DarkKirb@github"],
|
|
|
|
|
"tag:moto-g82-5g": ["DarkKirb@github"],
|
|
|
|
|
"tag:nutty-noon": ["DarkKirb@github"],
|
|
|
|
|
"tag:thinkrac": ["DarkKirb@github"],
|
2023-02-02 19:23:56 +00:00
|
|
|
"tag:dnsserver": ["DarkKirb@github"],
|
|
|
|
|
"tag:buildserver": ["DarkKirb@github"],
|
2023-02-02 20:31:50 +00:00
|
|
|
"tag:devDevice": ["DarkKirb@github"],
|
|
|
|
|
"tag:server": ["DarkKirb@github"],
|
2023-04-08 18:52:11 +00:00
|
|
|
"tag:syncthing": ["DarkKirb@github"],
|
2023-05-29 19:01:31 +00:00
|
|
|
"tag:woodpeckerRunner": ["DarkKirb@github"],
|
|
|
|
|
"tag:ipfs": ["DarkKirb@github"]
|
2023-02-02 19:15:16 +00:00
|
|
|
}
|
2023-02-02 14:45:14 +00:00
|
|
|
}
|
