start using opentofu

author: seth <[email protected]> 2023-12-11 19:08:10 -0500
committer: seth <[email protected]> 2023-12-12 22:43:30 -0500
commit: 03cea3ba8fea453fa5ca1611c7d8af152e2fcaaa (patch)
tree: c3f8895328329485714a5e51d928af1bf9892d46 /tofu/tailscale/acl.nix
parent: 988e00c510b1cc6b50e2211c4d0e8852463b1741 (diff)
1 files changed, 27 insertions, 0 deletions
diff --git a/tofu/tailscale/acl.nix b/tofu/tailscale/acl.nix
new file mode 100644
index 0000000..46503d8
--- /dev/null
+++ b/tofu/tailscale/acl.nix
@@ -0,0 +1,27 @@
+{lib, ...}: {
+  resource = {
+    tailscale_acl.main = {
+      acl = toString (builtins.toJSON {
+        tagOwners = let
+          me = ["getchoo@github"];
+          tags = map (name: "tag:${name}") ["server" "personal" "gha"];
+        in
+          lib.genAttrs tags (_: me);
+
+        acls = let
+          mkAcl = action: src: dst: {inherit action src dst;};
+        in [
+          (mkAcl "accept" ["tag:personal"] ["*:*"])
+          (mkAcl "accept" ["tag:server" "tag:gha"] ["tag:server:*"])
+        ];
+
+        ssh = let
+          mkSshAcl = action: src: dst: users: {inherit action src dst users;};
+        in [
+          (mkSshAcl "accept" ["tag:personal"] ["tag:server" "tag:personal"] ["autogroup:nonroot" "root"])
+          (mkSshAcl "accept" ["tag:gha"] ["tag:server"] ["root"])
+        ];
+      });
+    };
+  };
+}
author	seth <[email protected]>	2023-12-11 19:08:10 -0500
committer	seth <[email protected]>	2023-12-12 22:43:30 -0500
commit	03cea3ba8fea453fa5ca1611c7d8af152e2fcaaa (patch)
tree	c3f8895328329485714a5e51d928af1bf9892d46 /tofu/tailscale/acl.nix
parent	988e00c510b1cc6b50e2211c4d0e8852463b1741 (diff)