terranix/tailscale/acl.nix


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25

{lib, ...}: {
  resource.tailscale_acl.default = {
    acl = toString (builtins.toJSON {
      tagOwners = let
        me = ["getchoo@github"];
        tags = map (name: "tag:${name}") ["server" "personal" "gha"];
      in
        lib.genAttrs tags (_: me);

      acls = let
        mkAcl = action: src: dst: {inherit action src dst;};
      in [
        (mkAcl "accept" ["tag:personal"] ["*:*"])
        (mkAcl "accept" ["tag:server" "tag:gha"] ["tag:server:*"])
      ];

      ssh = let
        mkSshAcl = action: src: dst: users: {inherit action src dst users;};
      in [
        (mkSshAcl "accept" ["tag:personal"] ["tag:server" "tag:personal"] ["autogroup:nonroot" "root"])
        (mkSshAcl "accept" ["tag:gha"] ["tag:server"] ["root"])
      ];
    });
  };
}