summaryrefslogtreecommitdiff
path: root/tf/tailscale/acl.nix
diff options
context:
space:
mode:
Diffstat (limited to 'tf/tailscale/acl.nix')
-rw-r--r--tf/tailscale/acl.nix25
1 files changed, 25 insertions, 0 deletions
diff --git a/tf/tailscale/acl.nix b/tf/tailscale/acl.nix
new file mode 100644
index 0000000..d27d3e1
--- /dev/null
+++ b/tf/tailscale/acl.nix
@@ -0,0 +1,25 @@
+{lib, ...}: {
+ resource.tailscale_acl.default = {
+ acl = toString (builtins.toJSON {
+ tagOwners = let
+ me = ["getchoo@github"];
+ tags = map (name: "tag:${name}") ["server" "personal" "gha"];
+ in
+ lib.genAttrs tags (_: me);
+
+ acls = let
+ mkAcl = action: src: dst: {inherit action src dst;};
+ in [
+ (mkAcl "accept" ["tag:personal"] ["*:*"])
+ (mkAcl "accept" ["tag:server" "tag:gha"] ["tag:server:*"])
+ ];
+
+ ssh = let
+ mkSshAcl = action: src: dst: users: {inherit action src dst users;};
+ in [
+ (mkSshAcl "accept" ["tag:personal"] ["tag:server" "tag:personal"] ["autogroup:nonroot" "root"])
+ (mkSshAcl "accept" ["tag:gha"] ["tag:server"] ["root"])
+ ];
+ });
+ };
+}
generated by cgit v1.2.3 (git 2.25.1) at 2025-12-06 14:35:31 +0000