terranix: better handle deployments

author: seth <[email protected]> 2023-12-27 04:49:26 -0500
committer: seth <[email protected]> 2023-12-27 05:09:07 -0500
commit: 773d59f2606c924de218d8d5bdfadcc875084047 (patch)
tree: 10bd52f58715adb47dcf87993885d2b3989d85c5 /terranix/tailscale/acl.nix
parent: 6f2a3fc6e3e20e719a4d570d883d64023db00653 (diff)
1 files changed, 25 insertions, 0 deletions
diff --git a/terranix/tailscale/acl.nix b/terranix/tailscale/acl.nix
new file mode 100644
index 0000000..d27d3e1
--- /dev/null
+++ b/terranix/tailscale/acl.nix
@@ -0,0 +1,25 @@
+{lib, ...}: {
+  resource.tailscale_acl.default = {
+    acl = toString (builtins.toJSON {
+      tagOwners = let
+        me = ["getchoo@github"];
+        tags = map (name: "tag:${name}") ["server" "personal" "gha"];
+      in
+        lib.genAttrs tags (_: me);
+
+      acls = let
+        mkAcl = action: src: dst: {inherit action src dst;};
+      in [
+        (mkAcl "accept" ["tag:personal"] ["*:*"])
+        (mkAcl "accept" ["tag:server" "tag:gha"] ["tag:server:*"])
+      ];
+
+      ssh = let
+        mkSshAcl = action: src: dst: users: {inherit action src dst users;};
+      in [
+        (mkSshAcl "accept" ["tag:personal"] ["tag:server" "tag:personal"] ["autogroup:nonroot" "root"])
+        (mkSshAcl "accept" ["tag:gha"] ["tag:server"] ["root"])
+      ];
+    });
+  };
+}
author	seth <[email protected]>	2023-12-27 04:49:26 -0500
committer	seth <[email protected]>	2023-12-27 05:09:07 -0500
commit	773d59f2606c924de218d8d5bdfadcc875084047 (patch)
tree	10bd52f58715adb47dcf87993885d2b3989d85c5 /terranix/tailscale/acl.nix
parent	6f2a3fc6e3e20e719a4d570d883d64023db00653 (diff)