nix-da/hosts/raptus/headscale/acls.nix

91 lines
1.7 KiB
Nix

{
pkgs,
options,
lib,
self,
...
}:
let
mkAcl = src: dst: {
action = "accept";
inherit src dst;
};
mkSshAcl = src: dst: users: {
action = "accept";
inherit src dst users;
};
shanMeta = self.nixosConfigurations.shan.config.modules.meta;
nihilusCfg = self.nixosConfigurations.nihilus.config;
homeAIp = "100.64.0.9";
in
{
services.headscale.settings.policy.path = pkgs.writeTextFile {
name = "headscale-acl.hujson";
text = builtins.toJSON {
acls = [
(mkAcl
[ "tag:client" ]
[
"tag:client:*"
"tag:server:*"
]
) # client -> {client, server}
(mkAcl
[
"tag:client"
"tag:server"
]
[
"${nihilusCfg.modules.meta.tailscale.ip}:${toString nihilusCfg.modules.server.rsync-daemon.port}"
]
)
(mkAcl
[
"${shanMeta.tailscale.ip}"
]
[ "tag:server:9000" ]
)
(mkAcl
[
"tag:guest"
]
[ "${shanMeta.tailscale.ip}:443" "${homeAIp}:80" ]
)
];
ssh = [
(mkSshAcl [ "tag:client" ]
[
"tag:server"
"tag:client"
]
[ "ny" "deck" ]
) # client -> {client, server}
];
tags = [
"tag:client"
"tag:server"
"tag:guest"
];
tagOwners =
let
users = [ "ny" ];
tags = map (name: "tag:${name}") [
"server"
"client"
];
in
lib.genAttrs tags (_: users);
autoApprovers = {
exitNode = [ "*" ];
};
};
};
}