60 lines
1.1 KiB
JSON
60 lines
1.1 KiB
JSON
{
|
|
"groups": {
|
|
"group:admin": ["davide"],
|
|
"group:family": ["davide", "dario"],
|
|
"group:services": ["services"],
|
|
"group:external": []
|
|
},
|
|
"tagOwners": {
|
|
"tag:web": ["group:admin"],
|
|
"tag:dns": ["group:admin"],
|
|
"tag:web": ["group:admin"],
|
|
"tag:game": ["group:admin", "group:family"]
|
|
},
|
|
"acls": [
|
|
// Family and admin should be able to access every service
|
|
{
|
|
"action": "accept",
|
|
"src": ["group:admin", "group:family"],
|
|
"dst": [
|
|
"tag:web:*",
|
|
"tag:dns:*",
|
|
"tag:exitnode:*"
|
|
]
|
|
},
|
|
// External can access only hosted games
|
|
{
|
|
"action": "accept",
|
|
"src": ["group:external"],
|
|
"dst": [
|
|
"tag:game:*"
|
|
]
|
|
},
|
|
// And possibly the DNS server (or we break their internet connection)
|
|
{
|
|
"action": "accept",
|
|
"src": ["group:external"],
|
|
"proto": "udp",
|
|
"dst": [
|
|
"tag:dns:53"
|
|
]
|
|
},
|
|
// Web services should be able to make DNS queries
|
|
{
|
|
"action": "accept",
|
|
"src": ["tag:web"],
|
|
"proto": "udp",
|
|
"dst": [
|
|
"tag:dns:53"
|
|
]
|
|
},
|
|
{
|
|
"action": "accept",
|
|
"src": ["group:family"],
|
|
"dst": [
|
|
"group:family:*"
|
|
]
|
|
}
|
|
]
|
|
}
|