diff options
Diffstat (limited to 'tofu/tailscale')
| -rw-r--r-- | tofu/tailscale/acl.nix | 27 | ||||
| -rw-r--r-- | tofu/tailscale/default.nix | 12 | ||||
| -rw-r--r-- | tofu/tailscale/devices.nix | 17 | ||||
| -rw-r--r-- | tofu/tailscale/dns.nix | 5 | ||||
| -rw-r--r-- | tofu/tailscale/tags.nix | 15 |
5 files changed, 76 insertions, 0 deletions
diff --git a/tofu/tailscale/acl.nix b/tofu/tailscale/acl.nix new file mode 100644 index 0000000..46503d8 --- /dev/null +++ b/tofu/tailscale/acl.nix @@ -0,0 +1,27 @@ +{lib, ...}: { + resource = { + tailscale_acl.main = { + acl = toString (builtins.toJSON { + tagOwners = let + me = ["getchoo@github"]; + tags = map (name: "tag:${name}") ["server" "personal" "gha"]; + in + lib.genAttrs tags (_: me); + + acls = let + mkAcl = action: src: dst: {inherit action src dst;}; + in [ + (mkAcl "accept" ["tag:personal"] ["*:*"]) + (mkAcl "accept" ["tag:server" "tag:gha"] ["tag:server:*"]) + ]; + + ssh = let + mkSshAcl = action: src: dst: users: {inherit action src dst users;}; + in [ + (mkSshAcl "accept" ["tag:personal"] ["tag:server" "tag:personal"] ["autogroup:nonroot" "root"]) + (mkSshAcl "accept" ["tag:gha"] ["tag:server"] ["root"]) + ]; + }); + }; + }; +} diff --git a/tofu/tailscale/default.nix b/tofu/tailscale/default.nix new file mode 100644 index 0000000..2225fd5 --- /dev/null +++ b/tofu/tailscale/default.nix @@ -0,0 +1,12 @@ +{lib, ...}: { + imports = [ + ./acl.nix + ./devices.nix + ./dns.nix + ./tags.nix + ]; + + provider.tailscale = { + tailnet = lib.tfRef "var.tailnet"; + }; +} diff --git a/tofu/tailscale/devices.nix b/tofu/tailscale/devices.nix new file mode 100644 index 0000000..44ee3f1 --- /dev/null +++ b/tofu/tailscale/devices.nix @@ -0,0 +1,17 @@ +{lib, ...}: { + data.tailscale_device = let + toDevices = devices: + lib.genAttrs devices (name: { + name = "${name}.tailc59d6.ts.net"; + wait_for = "60s"; + }); + in + toDevices [ + "atlas" + "caroline" + "glados" + "glados-wsl" + "glados-windows" + "iphone-14" + ]; +} diff --git a/tofu/tailscale/dns.nix b/tofu/tailscale/dns.nix new file mode 100644 index 0000000..320a24b --- /dev/null +++ b/tofu/tailscale/dns.nix @@ -0,0 +1,5 @@ +{ + resource.tailscale_dns_preferences.default = { + magic_dns = true; + }; +} diff --git a/tofu/tailscale/tags.nix b/tofu/tailscale/tags.nix new file mode 100644 index 0000000..c519a25 --- /dev/null +++ b/tofu/tailscale/tags.nix @@ -0,0 +1,15 @@ +{lib, ...}: { + resource.tailscale_device_tags = let + getDeviceID = device: lib.tfRef "data.tailscale_device.${device}.id"; + toTags = n: v: {device_id = getDeviceID n;} // v; + + tags = lib.genAttrs ["server" "personal" "gha"] (n: ["tag:${n}"]); + in + builtins.mapAttrs toTags { + atlas.tags = tags.server; + caroline.tags = tags.personal; + glados.tags = tags.personal; + glados-wsl.tags = tags.personal; + iphone-14.tags = tags.personal; + }; +} |