79 lines
1.4 KiB
Nix
79 lines
1.4 KiB
Nix
{
|
|
pkgs,
|
|
options,
|
|
lib,
|
|
...
|
|
}:
|
|
let
|
|
mkAcl = src: dst: {
|
|
action = "accept";
|
|
inherit src dst;
|
|
};
|
|
mkSshAcl = src: dst: users: {
|
|
action = "accept";
|
|
inherit src dst users;
|
|
};
|
|
in
|
|
{
|
|
services.headscale.settings.policy.path = pkgs.writeTextFile {
|
|
name = "headscale-acl.hujson";
|
|
text = builtins.toJSON {
|
|
acls = [
|
|
(mkAcl
|
|
[ "tag:client" ]
|
|
[
|
|
"tag:client:*"
|
|
"tag:server:*"
|
|
]
|
|
) # client -> {client, server}
|
|
|
|
(mkAcl
|
|
[
|
|
"tag:client"
|
|
"tag:server"
|
|
]
|
|
[ "tag:backup:${toString options.modules.server.rsync-daemon.port.default}" ]
|
|
)
|
|
|
|
(mkAcl
|
|
[
|
|
"tag:guest"
|
|
]
|
|
[ "100.64.0.4:443" ]
|
|
)
|
|
];
|
|
|
|
ssh = [
|
|
(mkSshAcl [ "tag:client" ]
|
|
[
|
|
"tag:server"
|
|
"tag:client"
|
|
]
|
|
[ "ny" ]
|
|
) # client -> {client, server}
|
|
];
|
|
|
|
tags = [
|
|
"tag:client"
|
|
"tag:server"
|
|
"tag:backup"
|
|
"tag:guest"
|
|
];
|
|
|
|
tagOwners =
|
|
let
|
|
users = [ "ny" ];
|
|
tags = map (name: "tag:${name}") [
|
|
"server"
|
|
"client"
|
|
"backup"
|
|
];
|
|
in
|
|
lib.genAttrs tags (_: users);
|
|
|
|
autoApprovers = {
|
|
exitNode = [ "*" ];
|
|
};
|
|
};
|
|
};
|
|
}
|