Tailscale Nix ACL rules

acl groups.nix

{ lib }:

with lib;

rec {
  "group:devs" = [
    "your@user.here"
  ];
  "group:household" = [
    "your@user.here"
  ];
  "group:superadmin" = [
    "your@user.here"
  ];
}

acl rules_common.nix

{ lib }:

with lib;

rec {
  hosts = {
  };
  acls = [
    # Super admins can access any SSH server
    (mkAcceptIncoming {
      target = "*";
      users = ["group:superadmin"];
      ports = [":22"];
    })
  ];
}

acl rules_servers.nix

{ lib }:

with lib;

rec {
  hosts = {
    "vault" = "X.X.X.X"; # add IP here
    "homeassistant" = "X.X.X.X";
  };
  acls = [
    # Vault access
    (mkAcceptIncoming {
      target = "vault";
      users = [
        "group:devs"
      ];
      ports = [
        ":443" # Vault API and Web UI
      ];
    })

    # Home Assistant
    (mkAcceptIncoming {
      target = "homeassistant";
      users = [
        "group:household"
      ];
      ports = [
        ":443" # HTTP
      ];
    })
  ];
}

configuration.nix

let
  aclLib = {
    mkAccept = args: ({ action = "accept"; } // args);
    mkAcceptIncoming = { target, users, ports }: {
      action = "accept";
      inherit users;
      ports = map (port: "${target}${port}") ports;
    };
    mkUserAllowSelf = { user }: {
      action = "accept";
      users = [ user ];
      ports = [ "${user}:*" ];
    };
  };
  aclRules = [
    (import ./acl/rules_common.nix { lib = aclLib; })
    # more rules here
  ];
  mergeObjects = objs: lib.mapAttrs (name: value: (lib.elemAt value 0)) (lib.zipAttrs objs);
  builtACL = {
    groups = import ./acl/groups.nix { lib = aclLib; };
    hosts = mergeObjects (map (file: file.hosts) aclRules);
    acls = lib.concatLists (map (file: file.acls) aclRules);
  };
in
# .......
  environment.etc."headscale_acl.hujson" = {
    text = builtins.toJSON builtACL;
    mode = "0444";
  };
# .......