From e6f79b30e620cf7bd5b06e2579e979ff090e925a Mon Sep 17 00:00:00 2001 From: seth Date: Fri, 18 Oct 2024 03:10:35 -0400 Subject: more refactors & outsource some things (#477) * tree-wide: drop flake-parts * drop nixinate * justfile: cleanup * drop treefmt-nix * doc: update READMEs * flake: cleanup * seth: don't use `./.` * modules/nixos,darwin: bundle all modules They all depend on each other anyways so * systems: manually import internal modules * seth: use riff module from nix-exprs * flake: back to flake-parts * Revert "flake: back to flake-parts" This reverts commit 35334882f7c0c23991a4efd65ea08b216006b2b0. Saving the last commit so I can go back if I want * flake: use lib.const this looks better...right? * flake: declare systems like a normal person --- terranix/tailscale/acl.nix | 51 ++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 51 insertions(+) create mode 100644 terranix/tailscale/acl.nix (limited to 'terranix/tailscale/acl.nix') diff --git a/terranix/tailscale/acl.nix b/terranix/tailscale/acl.nix new file mode 100644 index 0000000..80e3537 --- /dev/null +++ b/terranix/tailscale/acl.nix @@ -0,0 +1,51 @@ +{ lib, ... }: +{ + resource.tailscale_acl.default = { + acl = toString ( + builtins.toJSON { + tagOwners = + let + me = [ "getchoo@github" ]; + tags = map (name: "tag:${name}") [ + "server" + "personal" + ]; + in + lib.genAttrs tags (_: me); + + acls = + let + mkAcl = action: src: dst: { inherit action src dst; }; + in + [ + (mkAcl "accept" [ "tag:personal" ] [ "*:*" ]) + (mkAcl "accept" [ "tag:server" ] [ "tag:server:*" ]) + ]; + + ssh = + let + mkSshAcl = action: src: dst: users: { + inherit + action + src + dst + users + ; + }; + in + [ + (mkSshAcl "accept" [ "tag:personal" ] + [ + "tag:server" + "tag:personal" + ] + [ + "autogroup:nonroot" + "root" + ] + ) + ]; + } + ); + }; +} -- cgit v1.2.3