{ pkgs, options, lib, self, ... }: let mkAcl = src: dst: { action = "accept"; inherit src dst; }; mkSshAcl = src: dst: users: { action = "accept"; inherit src dst users; }; shanMeta = self.nixosConfigurations.shan.config.modules.meta; nihilusCfg = self.nixosConfigurations.nihilus.config; homeAIp = "100.64.0.9"; in { services.headscale.settings.policy.path = pkgs.writeTextFile { name = "headscale-acl.hujson"; text = builtins.toJSON { acls = [ (mkAcl [ "tag:client" ] [ "tag:client:*" "tag:server:*" ] ) # client -> {client, server} (mkAcl [ "tag:client" "tag:server" ] [ "${nihilusCfg.modules.meta.tailscale.ip}:${toString nihilusCfg.modules.server.rsync-daemon.port}" ] ) (mkAcl [ "${shanMeta.tailscale.ip}" ] [ "tag:server:9000" ] ) (mkAcl [ "tag:guest" ] [ "${shanMeta.tailscale.ip}:443" "${homeAIp}:80" ] ) ]; ssh = [ (mkSshAcl [ "tag:client" ] [ "tag:server" "tag:client" ] [ "ny" "deck" ] ) # client -> {client, server} ]; tags = [ "tag:client" "tag:server" "tag:guest" ]; tagOwners = let users = [ "ny" ]; tags = map (name: "tag:${name}") [ "server" "client" ]; in lib.genAttrs tags (_: users); autoApprovers = { exitNode = [ "*" ]; }; }; }; }