diff options
| author | seth <[email protected]> | 2024-10-18 03:10:35 -0400 |
|---|---|---|
| committer | GitHub <[email protected]> | 2024-10-18 07:10:35 +0000 |
| commit | e6f79b30e620cf7bd5b06e2579e979ff090e925a (patch) | |
| tree | 1dd2b20126602ef448f77fbb9cdd44ba7f02a58c /terranix/tailscale | |
| parent | fdaf8680ef5bbcadb7cece43911beff18f90cdb2 (diff) | |
more refactors & outsource some things (#477)
* tree-wide: drop flake-parts
* drop nixinate
* justfile: cleanup
* drop treefmt-nix
* doc: update READMEs
* flake: cleanup
* seth: don't use `./.`
* modules/nixos,darwin: bundle all modules
They all depend on each other anyways so
* systems: manually import internal modules
* seth: use riff module from nix-exprs
* flake: back to flake-parts
* Revert "flake: back to flake-parts"
This reverts commit 35334882f7c0c23991a4efd65ea08b216006b2b0.
Saving the last commit so I can go back if I want
* flake: use lib.const
this looks better...right?
* flake: declare systems like a normal person
Diffstat (limited to 'terranix/tailscale')
| -rw-r--r-- | terranix/tailscale/acl.nix | 51 | ||||
| -rw-r--r-- | terranix/tailscale/default.nix | 13 | ||||
| -rw-r--r-- | terranix/tailscale/devices.nix | 20 | ||||
| -rw-r--r-- | terranix/tailscale/dns.nix | 5 | ||||
| -rw-r--r-- | terranix/tailscale/tags.nix | 21 |
5 files changed, 110 insertions, 0 deletions
diff --git a/terranix/tailscale/acl.nix b/terranix/tailscale/acl.nix new file mode 100644 index 0000000..80e3537 --- /dev/null +++ b/terranix/tailscale/acl.nix @@ -0,0 +1,51 @@ +{ lib, ... }: +{ + resource.tailscale_acl.default = { + acl = toString ( + builtins.toJSON { + tagOwners = + let + me = [ "getchoo@github" ]; + tags = map (name: "tag:${name}") [ + "server" + "personal" + ]; + in + lib.genAttrs tags (_: me); + + acls = + let + mkAcl = action: src: dst: { inherit action src dst; }; + in + [ + (mkAcl "accept" [ "tag:personal" ] [ "*:*" ]) + (mkAcl "accept" [ "tag:server" ] [ "tag:server:*" ]) + ]; + + ssh = + let + mkSshAcl = action: src: dst: users: { + inherit + action + src + dst + users + ; + }; + in + [ + (mkSshAcl "accept" [ "tag:personal" ] + [ + "tag:server" + "tag:personal" + ] + [ + "autogroup:nonroot" + "root" + ] + ) + ]; + } + ); + }; +} diff --git a/terranix/tailscale/default.nix b/terranix/tailscale/default.nix new file mode 100644 index 0000000..b370b34 --- /dev/null +++ b/terranix/tailscale/default.nix @@ -0,0 +1,13 @@ +{ lib, ... }: +{ + imports = [ + ./acl.nix + ./devices.nix + ./dns.nix + ./tags.nix + ]; + + provider.tailscale = { + tailnet = lib.tfRef "var.tailnet"; + }; +} diff --git a/terranix/tailscale/devices.nix b/terranix/tailscale/devices.nix new file mode 100644 index 0000000..625c56e --- /dev/null +++ b/terranix/tailscale/devices.nix @@ -0,0 +1,20 @@ +{ lib, ... }: +{ + data.tailscale_device = + let + toDevices = + devices: + lib.genAttrs devices (name: { + name = "${name}.tailc59d6.ts.net"; + wait_for = "60s"; + }); + in + toDevices [ + "atlas" + "caroline" + "glados" + "glados-wsl" + "glados-windows" + "iphone-14" + ]; +} diff --git a/terranix/tailscale/dns.nix b/terranix/tailscale/dns.nix new file mode 100644 index 0000000..320a24b --- /dev/null +++ b/terranix/tailscale/dns.nix @@ -0,0 +1,5 @@ +{ + resource.tailscale_dns_preferences.default = { + magic_dns = true; + }; +} diff --git a/terranix/tailscale/tags.nix b/terranix/tailscale/tags.nix new file mode 100644 index 0000000..3e82dbb --- /dev/null +++ b/terranix/tailscale/tags.nix @@ -0,0 +1,21 @@ +{ lib, ... }: +{ + resource.tailscale_device_tags = + let + getDeviceID = device: lib.tfRef "data.tailscale_device.${device}.id"; + toTags = n: v: { device_id = getDeviceID n; } // v; + + tags = lib.genAttrs [ + "server" + "personal" + ] (n: [ "tag:${n}" ]); + in + builtins.mapAttrs toTags { + atlas.tags = tags.server; + caroline.tags = tags.personal; + glados.tags = tags.personal; + glados-wsl.tags = tags.personal; + glados-windows.tags = tags.personal; + iphone-14.tags = tags.personal; + }; +} |