From ff23ee6e56a0a8011ea0fd7c282b0a4388289ad1 Mon Sep 17 00:00:00 2001 From: Aaron Bieber Date: Thu, 27 Jul 2023 09:51:55 -0600 Subject: [PATCH] configs/tailnet: start managing tailnet ACLs --- configs/manager.nix | 4 ++ configs/tailnet.nix | 102 ++++++++++++++++++++++++++++++++++++++++++++ flake.lock | 8 ++-- flake.nix | 32 +++++++------- 4 files changed, 126 insertions(+), 20 deletions(-) create mode 100644 configs/tailnet.nix diff --git a/configs/manager.nix b/configs/manager.nix index 9009d87..3d54b67 100644 --- a/configs/manager.nix +++ b/configs/manager.nix @@ -25,6 +25,8 @@ in }; }; + imports = [./tailnet.nix]; + config = mkIf config.nixManager.enable { sops.defaultSopsFile = config.xin-secrets.manager; sops.secrets = { @@ -36,11 +38,13 @@ in ca_cert = {owner = config.nixManager.user;}; po_env = {owner = config.nixManager.user;}; }; + environment.systemPackages = [ microca inputs.xintray.packages.${pkgs.system}.xintray inputs.po.packages.${pkgs.system}.po ]; + networking = { hosts = { "66.135.2.235" = ["ns1"]; diff --git a/configs/tailnet.nix b/configs/tailnet.nix new file mode 100644 index 0000000..509ae47 --- /dev/null +++ b/configs/tailnet.nix @@ -0,0 +1,102 @@ +{ + config, + pkgs, + lib, + inputs, + xinlib, + ... +}: let + tailnetACLs = let + acls = { + hosts = { + europa = "100.92.31.80"; + startpage = "100.120.84.116"; + startdev = "100.92.56.119"; + go = "100.117.47.51"; + nbc = "100.122.61.43"; # nix-binary-cache + console = "100.87.112.70"; + box = "100.120.151.126"; + }; + + tagOwners = { + "tag:untrusted" = ["qbit@github"]; + "tag:minservice" = ["qbit@github"]; + "tag:apper" = ["qbit@github"]; + "tag:golink" = ["qbit@github"]; + "tag:lab" = ["qbit@github"]; + }; + + acls = [ + { + action = "accept"; + src = ["tag:untrusted"]; + dst = [ + "europa:22" + "europa:12304" + "startpage:443" + "startdev:443" + "go:80" + "tag:lab:22" + "nbc:443" + ]; + } + { + action = "accept"; + src = ["tag:minservice"]; + dst = ["*:22" "box:3030" "nbc:443" "console:2222"]; + } + { + action = "accept"; + src = ["qbit@github"]; + dst = ["*:*"]; + } + ]; + }; + in + pkgs.writeTextFile { + name = "tailnet-acls.json"; + text = builtins.toJSON acls; + }; + aclUpdateScript = pkgs.writeShellScriptBin "tailnet-acl-updater" '' + set -eu + + . ${config.sops.secrets.po_env.path} + + JQ=${pkgs.jq}/bin/jq + PO=${inputs.po.packages.${pkgs.system}.po}/bin/po + + APIURL="https://api.tailscale.com/api/v2/tailnet/-/acl" + TOKEN="$(cat ${config.sops.secrets.tailnet_acl_manager.path}):" + + ERROR="$(${pkgs.curl}/bin/curl "$APIURL/validate" -u "$TOKEN" -d @${tailnetACLs} | $JQ -r .message)" + + if [ "$ERROR" = "null" ]; then + RESP="$(${pkgs.curl}/bin/curl "$APIURL" -u "$TOKEN" -d @${tailnetACLs} | $JQ -r .message)" + if [ "$RESP" != "null" ]; then + $PO -title "Failed to update TailNet!" -body "$RESP" + fi + fi + ''; + jobs = [ + { + name = "update-talenet-acls"; + script = "${aclUpdateScript}/bin/tailnet-acl-updater"; + startAt = "*:30:00"; + path = []; + inherit (config.nixManager) user; + } + ]; +in + with lib; { + sops.secrets = { + tailnet_acl_manager = { + owner = config.nixManager.user; + sopsFile = config.xin-secrets.manager; + }; + po_env = { + owner = config.nixManager.user; + sopsFile = config.xin-secrets.manager; + }; + }; + systemd.services = listToAttrs (builtins.map xinlib.jobToService jobs); + } diff --git a/flake.lock b/flake.lock index 4a345ef..8139e7a 100644 --- a/flake.lock +++ b/flake.lock @@ -437,11 +437,11 @@ "stable": "stable_2" }, "locked": { - "lastModified": 1686765987, - "narHash": "sha256-dwT4w+dFG5ovM9ip32fj54I8Bq427SQZ91X/wJ3mhXU=", + "lastModified": 1690469873, + "narHash": "sha256-ohAEIlsdUeOiIxsmN8GU6M5Ui0p1kChkxWQ+dYQGNTk=", "ref": "main", - "rev": "4019a419bd9ab0e927d44cb4ff4b84654de90712", - "revCount": 100, + "rev": "aa792f779df5b2227b6087c8a04cc88dec0f506a", + "revCount": 101, "type": "git", "url": "ssh://xin-secrets-ro/qbit/xin-secrets.git" }, diff --git a/flake.nix b/flake.nix index 5adaf2e..4412f0e 100644 --- a/flake.nix +++ b/flake.nix @@ -230,21 +230,21 @@ ]; }; - weatherzero = buildSys "armv6l" stable [ - "${stable}/nixos/modules/installer/sd-card/sd-image-raspberrypi.nix" - { - nixpkgs = { - buildPlatform = { - system = "x86_64-linux"; - config = "x86_64-unknown-linux-gnu"; - }; - hostPlatform = { - system = "armv6l-linux"; - config = "armv6l-unknown-linux-gnueabihf"; - }; - }; - } - ] "weatherzero"; + #weatherzero = buildSys "armv6l" stable [ + # "${stable}/nixos/modules/installer/sd-card/sd-image-raspberrypi.nix" + # { + # nixpkgs = { + # buildPlatform = { + # system = "x86_64-linux"; + # config = "x86_64-unknown-linux-gnu"; + # }; + # hostPlatform = { + # system = "armv6l-linux"; + # config = "armv6l-unknown-linux-gnueabihf"; + # }; + # }; + # } + #] "weatherzero"; isoInstall = stable.lib.nixosSystem { system = "x86_64-linux"; @@ -346,7 +346,7 @@ }; checks = let - buildList = ["europa" "stan" "h" "box" "faf" "weatherzero"]; + buildList = ["europa" "stan" "h" "box" "faf"]; in with unstable.lib; foldl' recursiveUpdate {} (mapAttrsToList (name: system: {