From 03cea3ba8fea453fa5ca1611c7d8af152e2fcaaa Mon Sep 17 00:00:00 2001
From: seth <getchoo@tuta.io>
Date: Mon, 11 Dec 2023 19:08:10 -0500
Subject: start using opentofu

---
 tofu/tailscale/acl.nix | 27 +++++++++++++++++++++++++++
 1 file changed, 27 insertions(+)
 create mode 100644 tofu/tailscale/acl.nix

(limited to 'tofu/tailscale/acl.nix')

diff --git a/tofu/tailscale/acl.nix b/tofu/tailscale/acl.nix
new file mode 100644
index 0000000..46503d8
--- /dev/null
+++ b/tofu/tailscale/acl.nix
@@ -0,0 +1,27 @@
+{lib, ...}: {
+  resource = {
+    tailscale_acl.main = {
+      acl = toString (builtins.toJSON {
+        tagOwners = let
+          me = ["getchoo@github"];
+          tags = map (name: "tag:${name}") ["server" "personal" "gha"];
+        in
+          lib.genAttrs tags (_: me);
+
+        acls = let
+          mkAcl = action: src: dst: {inherit action src dst;};
+        in [
+          (mkAcl "accept" ["tag:personal"] ["*:*"])
+          (mkAcl "accept" ["tag:server" "tag:gha"] ["tag:server:*"])
+        ];
+
+        ssh = let
+          mkSshAcl = action: src: dst: users: {inherit action src dst users;};
+        in [
+          (mkSshAcl "accept" ["tag:personal"] ["tag:server" "tag:personal"] ["autogroup:nonroot" "root"])
+          (mkSshAcl "accept" ["tag:gha"] ["tag:server"] ["root"])
+        ];
+      });
+    };
+  };
+}
-- 
cgit v1.2.3