xin/configs/tailnet.nix

309 lines
8.1 KiB
Nix
Raw Normal View History

2023-09-12 08:44:05 -06:00
{ config
, pkgs
, lib
, inputs
, xinlib
, ...
}:
let
tailnetACLs =
let
acls = {
2024-10-20 18:19:29 -06:00
nodeAttrs = [
{
target = [ "tag:laptop" "tag:mobile" ];
attr = [
"drive:access"
];
}
{
target = [ "tag:internal-server" ];
attr = [
"drive:share"
];
}
{
target = [ "namish" ];
attr = [
"drive:share"
];
}
2024-10-20 18:19:29 -06:00
];
grants = [
{
src = [ "europa" "sputnik" "skunk" "graphy" "plq" ];
2024-10-20 18:19:29 -06:00
dst = [ "box" ];
app = {
"tailscale.com/cap/drive" = [{
shares = [ "*" ];
access = "rw";
}];
};
}
];
2023-09-12 08:44:05 -06:00
hosts = {
2024-10-20 18:19:29 -06:00
box = "100.115.16.150";
2024-04-25 15:21:47 -06:00
console = "100.83.166.33";
2024-10-20 18:19:29 -06:00
display = "100.77.35.34";
europa = "100.64.26.122";
2024-04-25 15:21:47 -06:00
faf = "100.80.94.131";
2024-10-20 18:19:29 -06:00
gitle = "100.111.162.87";
graphy = "100.123.184.55";
2024-04-25 15:21:47 -06:00
h = "100.83.77.133";
2024-05-05 10:06:58 -06:00
il = "100.86.182.99";
2024-10-20 18:19:29 -06:00
invidious = "100.71.57.99";
namish = "100.86.184.141";
2024-10-20 18:19:29 -06:00
nbc = "100.74.8.55";
ollama = "100.121.227.121";
plq = "100.90.214.142";
2024-10-20 18:19:29 -06:00
pwntie = "100.84.170.57";
rimgo = "100.121.77.91";
2024-10-20 18:19:29 -06:00
skunk = "100.79.26.78";
sputnik = "100.78.154.31";
startpage = "127.0.0.1";
tsns = "100.73.115.100";
2024-10-20 18:19:29 -06:00
tv = "100.118.196.38";
2023-09-12 08:44:05 -06:00
};
2023-09-12 08:44:05 -06:00
tagOwners = {
2024-04-25 15:21:47 -06:00
"tag:admin" = [ "autogroup:admin" ];
"tag:untrusted" = [ "qbit@tapenet.org" ];
"tag:ro-service" = [ "qbit@tapenet.org" ];
"tag:mobile" = [ "qbit@tapenet.org" ];
"tag:laptop" = [ "qbit@tapenet.org" ];
"tag:internal-server" = [ "qbit@tapenet.org" ];
"tag:external-server" = [ "qbit@tapenet.org" ];
"tag:work" = [ "qbit@tapenet.org" ];
"tag:dns-server" = [ "qbit@tapenet.org" ];
"tag:openbsd" = [ "qbit@tapenet.org" ];
2023-09-12 08:44:05 -06:00
};
2023-09-12 08:44:05 -06:00
acls = [
{
action = "accept";
src = [ "europa" ];
dst = [ "tsns:443" ];
}
{
action = "accept";
src = [ "*" ];
dst = [ "tsns:53" ];
proto = "udp";
}
2023-09-12 08:44:05 -06:00
{
2024-04-25 15:21:47 -06:00
# Allow laptops and mobile devices to ssh to everything
2023-09-12 08:44:05 -06:00
action = "accept";
2024-04-25 15:21:47 -06:00
src = [ "tag:mobile" "tag:laptop" ];
dst = [ "*:*" ];
2023-09-12 08:44:05 -06:00
}
{
action = "accept";
src = [ "tag:internal-server" "tag:external-server" "tag:work" "tag:laptop" ];
dst = [ "nbc:443" ];
2023-09-12 08:44:05 -06:00
}
{
action = "accept";
src = [ "tag:untrusted" "tag:internal-server" ];
dst = [ "tag:ro-service:443" ];
2024-04-25 15:21:47 -06:00
}
{
action = "accept";
src = [ "tag:work" ];
dst = [ "console:2222" "startpage:443" "rimgo:443" "invidious:443" ];
2024-04-25 15:21:47 -06:00
}
{
action = "accept";
src = [ "tag:openbsd" ];
dst = [ "box:443" ];
2024-04-25 15:21:47 -06:00
}
{
# prometheus
action = "accept";
src = [ "box" ];
dst = [ "h:9002" "pwntie:9002" ];
2024-04-25 15:21:47 -06:00
}
{
# DNS
action = "accept";
src = [ "*" ];
dst = [ "faf:53" ];
proto = "udp";
2024-04-25 15:21:47 -06:00
}
{
# ollama
action = "accept";
src = [ "europa" "h" "tag:work" ];
dst = [ "ollama:443" ];
proto = "tcp";
2024-04-25 15:21:47 -06:00
}
{
# jellyfin for tv
action = "accept";
src = [ "tv" "display" ];
dst = [ "box:443" ];
proto = "tcp";
}
{
action = "accept";
src = [ "box" ];
dst = [ "tv:8080" "tv:9090" ];
proto = "tcp";
}
{
action = "accept";
src = [ "h" ];
dst = [ "ollama:443" ];
proto = "tcp";
}
2024-04-25 15:21:47 -06:00
];
tests = [
{
src = "gitle";
deny = [ "tsns:443" ];
}
{
src = "gitle";
allow = [ "tsns:53" ];
proto = "udp";
}
2024-04-25 15:21:47 -06:00
{
# RO service can't access things
src = "tag:ro-service";
deny = [ "tag:laptop:443" "tag:mobile:80" "tag:laptop:22" ];
2024-04-25 15:21:47 -06:00
}
{
src = "tag:external-server";
deny = [ "tag:laptop:22" ];
2024-04-25 15:21:47 -06:00
}
{
src = "tag:laptop";
allow = [ "tag:ro-service:443" "tag:ro-service:80" "tag:external-server:22" ];
2024-04-25 15:21:47 -06:00
}
{
src = "tag:laptop";
allow = [ "qbit@tapenet.org:22" ];
2024-04-25 15:21:47 -06:00
}
{
src = "tag:untrusted";
deny = [ "tag:laptop:22" ];
allow = [ "tag:ro-service:443" ];
2024-04-25 15:21:47 -06:00
}
{
src = "tag:laptop";
allow = [ "tag:untrusted:22" "tag:untrusted:2222" "tag:work:22" ];
2024-04-25 15:21:47 -06:00
}
{
src = "tag:work";
deny = [ "tag:laptop:22" ];
2024-04-25 15:21:47 -06:00
}
# Gitle shouldn't be able to access things, but things should access it
{
src = "gitle";
deny = [ "tag:laptop:22" ];
2024-04-25 15:21:47 -06:00
}
{
src = "tag:laptop";
allow = [ "gitle:22" ];
2024-04-25 15:21:47 -06:00
}
{
src = "tag:laptop";
allow = [ "faf:53" ];
2024-04-25 15:21:47 -06:00
}
{
src = "tag:internal-server";
allow = [ "nbc:443" "tag:ro-service:443" ];
2024-04-25 15:21:47 -06:00
}
{
"src" = "tag:laptop";
allow = [ "h:8967" ];
2024-04-25 15:21:47 -06:00
}
{
src = "h";
proto = "udp";
allow = [ "faf:53" ];
2024-04-25 15:21:47 -06:00
}
{
src = "tag:openbsd";
proto = "tcp";
allow = [ "box:443" ];
2024-04-25 15:21:47 -06:00
}
{
src = "sputnik";
proto = "tcp";
allow = [ "europa:1714" ];
2024-04-25 15:21:47 -06:00
}
{
src = "sputnik";
proto = "udp";
allow = [ "europa:1714" ];
2024-04-25 15:21:47 -06:00
}
{
src = "europa";
proto = "tcp";
allow = [ "ollama:443" ];
2023-09-12 08:44:05 -06:00
}
{
src = "tv";
proto = "tcp";
allow = [ "box:443" ];
}
{
src = "display";
proto = "tcp";
allow = [ "box:443" ];
}
2023-09-12 08:44:05 -06:00
];
};
in
pkgs.writeTextFile {
name = "tailnet-acls.json";
text = builtins.toJSON acls;
};
2024-04-25 15:21:47 -06:00
aclUpdateScript = pkgs.writeShellScriptBin
"tailnet-acl-updater"
''
set -eu
2024-04-25 15:21:47 -06:00
. ${config.sops.secrets.po_env.path}
2024-04-25 15:21:47 -06:00
JQ=${pkgs.jq}/bin/jq
PO=${inputs.po.packages.${pkgs.system}.po}/bin/po
2024-04-25 15:21:47 -06:00
APIURL="https://api.tailscale.com/api/v2/tailnet/-/acl"
TOKEN="$(cat ${config.sops.secrets.tailnet_acl_manager.path}):"
2024-08-14 13:00:56 -06:00
ERROR="$(${pkgs.curl}/bin/curl "$APIURL/validate" -s -u "$TOKEN" -d @${tailnetACLs} | $JQ -r .message)"
2024-04-25 15:21:47 -06:00
if [ "$ERROR" = "null" ]; then
2024-08-14 13:00:56 -06:00
RESP="$(${pkgs.curl}/bin/curl "$APIURL" -s -u "$TOKEN" -d @${tailnetACLs} | $JQ -r .message)"
2024-04-25 15:21:47 -06:00
if [ "$RESP" != "null" ]; then
$PO -title "Failed to update TailNet!" -body "$RESP"
fi
else
2024-07-25 09:52:27 -06:00
$PO -title "Failed to update TailNet!" -body "$ERROR"
fi
2024-04-25 15:21:47 -06:00
'';
jobs = [
{
name = "update-talenet-acls";
script = "${aclUpdateScript}/bin/tailnet-acl-updater";
startAt = "*:30:00";
2023-09-12 08:44:05 -06:00
path = [ ];
inherit (config.nixManager) user;
}
];
enabled = config.nixManager.enable;
in
2023-09-12 08:44:05 -06:00
with lib; {
sops.secrets = mkIf enabled {
tailnet_acl_manager = {
owner = config.nixManager.user;
sopsFile = config.xin-secrets.manager;
};
};
systemd.services = mkIf enabled (listToAttrs (builtins.map xinlib.jobToService jobs));
environment.systemPackages = mkIf enabled [ aclUpdateScript ];
2023-09-12 08:44:05 -06:00
}