5 files changed, 110 insertions, 0 deletions
diff --git a/terranix/tailscale/acl.nix b/terranix/tailscale/acl.nix
new file mode 100644
index 0000000..80e3537
--- /dev/null
+++ b/terranix/tailscale/acl.nix
@@ -0,0 +1,51 @@
+{ lib, ... }:
+{
+  resource.tailscale_acl.default = {
+    acl = toString (
+      builtins.toJSON {
+        tagOwners =
+          let
+            me = [ "getchoo@github" ];
+            tags = map (name: "tag:${name}") [
+              "server"
+              "personal"
+            ];
+          in
+          lib.genAttrs tags (_: me);
+
+        acls =
+          let
+            mkAcl = action: src: dst: { inherit action src dst; };
+          in
+          [
+            (mkAcl "accept" [ "tag:personal" ] [ "*:*" ])
+            (mkAcl "accept" [ "tag:server" ] [ "tag:server:*" ])
+          ];
+
+        ssh =
+          let
+            mkSshAcl = action: src: dst: users: {
+              inherit
+                action
+                src
+                dst
+                users
+                ;
+            };
+          in
+          [
+            (mkSshAcl "accept" [ "tag:personal" ]
+              [
+                "tag:server"
+                "tag:personal"
+              ]
+              [
+                "autogroup:nonroot"
+                "root"
+              ]
+            )
+          ];
+      }
+    );
+  };
+}
diff --git a/terranix/tailscale/default.nix b/terranix/tailscale/default.nix
new file mode 100644
index 0000000..b370b34
--- /dev/null
+++ b/terranix/tailscale/default.nix
@@ -0,0 +1,13 @@
+{ lib, ... }:
+{
+  imports = [
+    ./acl.nix
+    ./devices.nix
+    ./dns.nix
+    ./tags.nix
+  ];
+
+  provider.tailscale = {
+    tailnet = lib.tfRef "var.tailnet";
+  };
+}
diff --git a/terranix/tailscale/devices.nix b/terranix/tailscale/devices.nix
new file mode 100644
index 0000000..625c56e
--- /dev/null
+++ b/terranix/tailscale/devices.nix
@@ -0,0 +1,20 @@
+{ lib, ... }:
+{
+  data.tailscale_device =
+    let
+      toDevices =
+        devices:
+        lib.genAttrs devices (name: {
+          name = "${name}.tailc59d6.ts.net";
+          wait_for = "60s";
+        });
+    in
+    toDevices [
+      "atlas"
+      "caroline"
+      "glados"
+      "glados-wsl"
+      "glados-windows"
+      "iphone-14"
+    ];
+}
diff --git a/terranix/tailscale/dns.nix b/terranix/tailscale/dns.nix
new file mode 100644
index 0000000..320a24b
--- /dev/null
+++ b/terranix/tailscale/dns.nix
@@ -0,0 +1,5 @@
+{
+  resource.tailscale_dns_preferences.default = {
+    magic_dns = true;
+  };
+}
diff --git a/terranix/tailscale/tags.nix b/terranix/tailscale/tags.nix
new file mode 100644
index 0000000..3e82dbb
--- /dev/null
+++ b/terranix/tailscale/tags.nix
@@ -0,0 +1,21 @@
+{ lib, ... }:
+{
+  resource.tailscale_device_tags =
+    let
+      getDeviceID = device: lib.tfRef "data.tailscale_device.${device}.id";
+      toTags = n: v: { device_id = getDeviceID n; } // v;
+
+      tags = lib.genAttrs [
+        "server"
+        "personal"
+      ] (n: [ "tag:${n}" ]);
+    in
+    builtins.mapAttrs toTags {
+      atlas.tags = tags.server;
+      caroline.tags = tags.personal;
+      glados.tags = tags.personal;
+      glados-wsl.tags = tags.personal;
+      glados-windows.tags = tags.personal;
+      iphone-14.tags = tags.personal;
+    };
+}