tf: debrand config

5 files changed, 74 insertions, 0 deletions

diff --git a/tf/tailscale/acl.nix b/tf/tailscale/acl.nix
new file mode 100644
index 0000000..d27d3e1
--- /dev/null
+++ b/tf/tailscale/acl.nix
@@ -0,0 +1,25 @@
+{lib, ...}: {
+  resource.tailscale_acl.default = {
+    acl = toString (builtins.toJSON {
+      tagOwners = let
+        me = ["getchoo@github"];
+        tags = map (name: "tag:${name}") ["server" "personal" "gha"];
+      in
+        lib.genAttrs tags (_: me);
+
+      acls = let
+        mkAcl = action: src: dst: {inherit action src dst;};
+      in [
+        (mkAcl "accept" ["tag:personal"] ["*:*"])
+        (mkAcl "accept" ["tag:server" "tag:gha"] ["tag:server:*"])
+      ];
+
+      ssh = let
+        mkSshAcl = action: src: dst: users: {inherit action src dst users;};
+      in [
+        (mkSshAcl "accept" ["tag:personal"] ["tag:server" "tag:personal"] ["autogroup:nonroot" "root"])
+        (mkSshAcl "accept" ["tag:gha"] ["tag:server"] ["root"])
+      ];
+    });
+  };
+}
diff --git a/tf/tailscale/default.nix b/tf/tailscale/default.nix
new file mode 100644
index 0000000..2225fd5
--- /dev/null
+++ b/tf/tailscale/default.nix
@@ -0,0 +1,12 @@
+{lib, ...}: {
+  imports = [
+    ./acl.nix
+    ./devices.nix
+    ./dns.nix
+    ./tags.nix
+  ];
+
+  provider.tailscale = {
+    tailnet = lib.tfRef "var.tailnet";
+  };
+}
diff --git a/tf/tailscale/devices.nix b/tf/tailscale/devices.nix
new file mode 100644
index 0000000..44ee3f1
--- /dev/null
+++ b/tf/tailscale/devices.nix
@@ -0,0 +1,17 @@
+{lib, ...}: {
+  data.tailscale_device = let
+    toDevices = devices:
+      lib.genAttrs devices (name: {
+        name = "${name}.tailc59d6.ts.net";
+        wait_for = "60s";
+      });
+  in
+    toDevices [
+      "atlas"
+      "caroline"
+      "glados"
+      "glados-wsl"
+      "glados-windows"
+      "iphone-14"
+    ];
+}
diff --git a/tf/tailscale/dns.nix b/tf/tailscale/dns.nix
new file mode 100644
index 0000000..320a24b
--- /dev/null
+++ b/tf/tailscale/dns.nix
@@ -0,0 +1,5 @@
+{
+  resource.tailscale_dns_preferences.default = {
+    magic_dns = true;
+  };
+}
diff --git a/tf/tailscale/tags.nix b/tf/tailscale/tags.nix
new file mode 100644
index 0000000..c519a25
--- /dev/null
+++ b/tf/tailscale/tags.nix
@@ -0,0 +1,15 @@
+{lib, ...}: {
+  resource.tailscale_device_tags = let
+    getDeviceID = device: lib.tfRef "data.tailscale_device.${device}.id";
+    toTags = n: v: {device_id = getDeviceID n;} // v;
+
+    tags = lib.genAttrs ["server" "personal" "gha"] (n: ["tag:${n}"]);
+  in
+    builtins.mapAttrs toTags {
+      atlas.tags = tags.server;
+      caroline.tags = tags.personal;
+      glados.tags = tags.personal;
+      glados-wsl.tags = tags.personal;
+      iphone-14.tags = tags.personal;
+    };
+}