terranix/tailscale/acl.nix


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51

{ lib, ... }:
{
  resource.tailscale_acl.default = {
    acl = toString (
      builtins.toJSON {
        tagOwners =
          let
            me = [ "getchoo@github" ];
            tags = map (name: "tag:${name}") [
              "server"
              "personal"
            ];
          in
          lib.genAttrs tags (_: me);

        acls =
          let
            mkAcl = action: src: dst: { inherit action src dst; };
          in
          [
            (mkAcl "accept" [ "tag:personal" ] [ "*:*" ])
            (mkAcl "accept" [ "tag:server" ] [ "tag:server:*" ])
          ];

        ssh =
          let
            mkSshAcl = action: src: dst: users: {
              inherit
                action
                src
                dst
                users
                ;
            };
          in
          [
            (mkSshAcl "accept" [ "tag:personal" ]
              [
                "tag:server"
                "tag:personal"
              ]
              [
                "autogroup:nonroot"
                "root"
              ]
            )
          ];
      }
    );
  };
}