moderation · February 19, 2020 02:37
diff --git a/acl.cue b/acl.cue

 // Declare static groups of users beyond those in the identity service
 Groups: "group:eng": ["[email protected]", "[email protected]"]
 // Declare convenient hostname aliases to use in place of IP addresses
 Hosts: h222: "100.2.2.2"
 // Access control list
 ACLs: [{
 	Action: "accept"
 	// Match any of several users
 	Users: ["[email protected]", "[email protected]"]
 	// Match any port on h222, and port 22 of 10.1.2.3
 	Ports: ["h222:*", "10.1.2.3:22"]
 }, {
 	Action: "accept"
 	// Match any user at all
 	Users: ["*"]
 	// Match port 80 on one machine, ports 53 and 5353 on a second one,
 	// and ports 8000 through 8080 (a port range) on a third one.
 	Ports: ["h222:80", "10.8.8.8:53,5353", "10.2.3.4:8000-8080"]
 }, {
 	Action: "accept"
 	// Match all users in the "Admin" role (network administrators)
 	Users: ["role:Admin", "group:eng"]
 	// Allow access to port 22 on all servers
 	Ports: ["*:22"]
 }, {
 	Action: "accept"
 	Users: ["role:User"]
 	// Match only windows and linux workstations (not implemented yet)
 	OS: ["windows", "linux"]
 	// Only desktop machines are allowed to access this server
 	Ports: ["10.1.1.1:443"]
 }, {
 	Action: "accept"
 	Users: ["*"]
 	// Match machines which have never been authorized, or which expired.
 	// (not implemented yet)
 	MachineAuth: ["unauthorized", "expired"]
 	// Logged-in users on unauthorized machines can access the email server.
 	// Open the TLS ports for SMTP, IMAP, and HTTP.
 	Ports: ["10.1.2.3:465", "10.1.2.3:993", "10.1.2.3:443"]
 }, {
 	// Match absolutely everything. Comment out this section if you want
 	// the above ACLs to apply.
 	Action: "accept"
 	Users: ["*"]
 	Ports: ["*:*"]
 }]

	// Declare static groups of users beyond those in the identity service
	Groups: "group:eng": ["[email protected]", "[email protected]"]
	// Declare convenient hostname aliases to use in place of IP addresses
	Hosts: h222: "100.2.2.2"
	// Access control list
	ACLs: [{
	Action: "accept"
	// Match any of several users
	Users: ["[email protected]", "[email protected]"]
	// Match any port on h222, and port 22 of 10.1.2.3
	Ports: ["h222:*", "10.1.2.3:22"]
	}, {
	Action: "accept"
	// Match any user at all
	Users: ["*"]
	// Match port 80 on one machine, ports 53 and 5353 on a second one,
	// and ports 8000 through 8080 (a port range) on a third one.
	Ports: ["h222:80", "10.8.8.8:53,5353", "10.2.3.4:8000-8080"]
	}, {
	Action: "accept"
	// Match all users in the "Admin" role (network administrators)
	Users: ["role:Admin", "group:eng"]
	// Allow access to port 22 on all servers
	Ports: ["*:22"]
	}, {
	Action: "accept"
	Users: ["role:User"]
	// Match only windows and linux workstations (not implemented yet)
	OS: ["windows", "linux"]
	// Only desktop machines are allowed to access this server
	Ports: ["10.1.1.1:443"]
	}, {
	Action: "accept"
	Users: ["*"]
	// Match machines which have never been authorized, or which expired.
	// (not implemented yet)
	MachineAuth: ["unauthorized", "expired"]
	// Logged-in users on unauthorized machines can access the email server.
	// Open the TLS ports for SMTP, IMAP, and HTTP.
	Ports: ["10.1.2.3:465", "10.1.2.3:993", "10.1.2.3:443"]
	}, {
	// Match absolutely everything. Comment out this section if you want
	// the above ACLs to apply.
	Action: "accept"
	Users: ["*"]
	Ports: [":"]
	}]