Last active
January 29, 2022 00:50
-
-
Save madjam002/8fb305843bb611894dd83a106d975956 to your computer and use it in GitHub Desktop.
Tailscale Nix ACL rules
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
{ lib }: | |
with lib; | |
rec { | |
"group:devs" = [ | |
"your@user.here" | |
]; | |
"group:household" = [ | |
"your@user.here" | |
]; | |
"group:superadmin" = [ | |
"your@user.here" | |
]; | |
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
{ lib }: | |
with lib; | |
rec { | |
hosts = { | |
}; | |
acls = [ | |
# Super admins can access any SSH server | |
(mkAcceptIncoming { | |
target = "*"; | |
users = ["group:superadmin"]; | |
ports = [":22"]; | |
}) | |
]; | |
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
{ lib }: | |
with lib; | |
rec { | |
hosts = { | |
"vault" = "X.X.X.X"; # add IP here | |
"homeassistant" = "X.X.X.X"; | |
}; | |
acls = [ | |
# Vault access | |
(mkAcceptIncoming { | |
target = "vault"; | |
users = [ | |
"group:devs" | |
]; | |
ports = [ | |
":443" # Vault API and Web UI | |
]; | |
}) | |
# Home Assistant | |
(mkAcceptIncoming { | |
target = "homeassistant"; | |
users = [ | |
"group:household" | |
]; | |
ports = [ | |
":443" # HTTP | |
]; | |
}) | |
]; | |
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
let | |
aclLib = { | |
mkAccept = args: ({ action = "accept"; } // args); | |
mkAcceptIncoming = { target, users, ports }: { | |
action = "accept"; | |
inherit users; | |
ports = map (port: "${target}${port}") ports; | |
}; | |
mkUserAllowSelf = { user }: { | |
action = "accept"; | |
users = [ user ]; | |
ports = [ "${user}:*" ]; | |
}; | |
}; | |
aclRules = [ | |
(import ./acl/rules_common.nix { lib = aclLib; }) | |
# more rules here | |
]; | |
mergeObjects = objs: lib.mapAttrs (name: value: (lib.elemAt value 0)) (lib.zipAttrs objs); | |
builtACL = { | |
groups = import ./acl/groups.nix { lib = aclLib; }; | |
hosts = mergeObjects (map (file: file.hosts) aclRules); | |
acls = lib.concatLists (map (file: file.acls) aclRules); | |
}; | |
in | |
# ....... | |
environment.etc."headscale_acl.hujson" = { | |
text = builtins.toJSON builtACL; | |
mode = "0444"; | |
}; | |
# ....... |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment