qbit/xin
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

configs/tailnet: re-enable

Browse Source
This commit is contained in:
Aaron Bieber 2024-04-25 15:21:47 -06:00
parent 0a15d994c7
commit a0b19b2570
No known key found for this signature in database
2 changed files with 159 additions and 47 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
configs/manager.nix
View File

@ -25,7 +25,7 @@ with lib; {
}; };
}; };
#imports = [ ./tailnet.nix ]; imports = [ ./tailnet.nix ];
config = mkIf config.nixManager.enable { config = mkIf config.nixManager.enable {
sops.defaultSopsFile = config.xin-secrets.manager; sops.defaultSopsFile = config.xin-secrets.manager;

204
configs/tailnet.nix
View File

@ -10,48 +10,158 @@ let
let let
acls = { acls = {
hosts = { hosts = {
europa = "100.92.31.80"; console = "100.83.166.33";
startpage = "100.120.84.116"; nbc = "100.74.8.55";
startdev = "100.92.56.119"; startpage = "127.0.0.1";
go = "100.117.47.51"; gitle = "100.111.162.87";
nbc = "100.122.61.43"; # nix-binary-cache faf = "100.80.94.131";
console = "100.87.112.70"; h = "100.83.77.133";
box = "100.120.151.126"; box = "100.115.16.150";
pwntie = "100.84.170.57";
sputnik = "100.78.154.31";
europa = "100.64.26.122";
}; };
tagOwners = { tagOwners = {
"tag:untrusted" = [ "qbit@github" ]; "tag:admin" = [ "autogroup:admin" ];
"tag:minservice" = [ "qbit@github" ]; "tag:untrusted" = [ "qbit@tapenet.org" ];
"tag:sshonly" = [ "qbit@github" ]; "tag:ro-service" = [ "qbit@tapenet.org" ];
"tag:apper" = [ "qbit@github" ]; "tag:mobile" = [ "qbit@tapenet.org" ];
"tag:golink" = [ "qbit@github" ]; "tag:laptop" = [ "qbit@tapenet.org" ];
"tag:lab" = [ "qbit@github" ]; "tag:internal-server" = [ "qbit@tapenet.org" ];
"tag:external-server" = [ "qbit@tapenet.org" ];
"tag:work" = [ "qbit@tapenet.org" ];
"tag:dns-server" = [ "qbit@tapenet.org" ];
"tag:openbsd" = [ "qbit@tapenet.org" ];
}; };
acls = [ acls = [
{ {
# Allow laptops and mobile devices to ssh to everything
action = "accept"; action = "accept";
src = [ "tag:untrusted" ]; src = [ "tag:mobile" "tag:laptop" ];
dst = [
"europa:22"
"europa:12304"
"startpage:443"
"startdev:443"
"go:80"
"tag:lab:22"
"nbc:443"
];
}
{
action = "accept";
src = [ "tag:minservice" "tag:sshonly" ];
dst = [ "*:22" "box:3030" "nbc:443" "console:2222" ];
}
{
action = "accept";
src = [ "qbit@github" ];
dst = [ "*:*" ]; dst = [ "*:*" ];
} }
{
"action" = "accept";
"src" = [ "tag:internal-server" "tag:external-server" "tag:work" "tag:laptop" ];
"dst" = [ "nbc:443" ];
}
{
"action" = "accept";
"src" = [ "tag:untrusted" "tag:internal-server" ];
"dst" = [ "tag:ro-service:443" ];
}
{
"action" = "accept";
"src" = [ "tag:work" ];
"dst" = [ "console:2222" "startpage:443" ];
}
{
"action" = "accept";
"src" = [ "tag:openbsd" ];
"dst" = [ "box:443" ];
}
{
# prometheus
"action" = "accept";
"src" = [ "box" ];
"dst" = [ "h:9002" "pwntie:9002" ];
}
{
# DNS
"action" = "accept";
"src" = [ "*" ];
"dst" = [ "faf:53" ];
"proto" = "udp";
}
{
# ollama
"action" = "accept";
"src" = [ "europa" ];
"dst" = [ "pwntie:11434" ];
"proto" = "tcp";
}
];
tests = [
{
# RO service can't access things
"src" = "tag:ro-service";
"deny" = [ "tag:laptop:443" "tag:mobile:80" "tag:laptop:22" ];
}
{
"src" = "tag:external-server";
"deny" = [ "tag:laptop:22" ];
}
{
"src" = "tag:laptop";
"allow" = [ "tag:ro-service:443" "tag:ro-service:80" "tag:external-server:22" ];
}
{
"src" = "tag:laptop";
"allow" = [ "qbit@tapenet.org:22" ];
}
{
"src" = "tag:untrusted";
"deny" = [ "tag:laptop:22" ];
"allow" = [ "tag:ro-service:443" ];
}
{
"src" = "tag:laptop";
"allow" = [ "tag:untrusted:22" "tag:untrusted:2222" "tag:work:22" ];
}
{
"src" = "tag:work";
"deny" = [ "tag:laptop:22" ];
}
# Gitle shouldn't be able to access things, but things should access it
{
"src" = "gitle";
"deny" = [ "tag:laptop:22" ];
}
{
"src" = "tag:laptop";
"allow" = [ "gitle:22" ];
}
{
"src" = "tag:laptop";
"allow" = [ "faf:53" ];
}
{
"src" = "tag:internal-server";
"allow" = [ "nbc:443" "tag:ro-service:443" ];
}
{
"src" = "tag:laptop";
"allow" = [ "h:8967" ];
}
{
"src" = "h";
"proto" = "udp";
"allow" = [ "faf:53" ];
}
{
"src" = "tag:openbsd";
"proto" = "tcp";
"allow" = [ "box:443" ];
}
{
"src" = "sputnik";
"proto" = "tcp";
"allow" = [ "europa:1714" ];
}
{
"src" = "sputnik";
"proto" = "udp";
"allow" = [ "europa:1714" ];
}
{
"src" = "europa";
"proto" = "tcp";
"allow" = [ "pwntie:11434" ];
}
]; ];
}; };
in in
@ -59,26 +169,28 @@ let
name = "tailnet-acls.json"; name = "tailnet-acls.json";
text = builtins.toJSON acls; text = builtins.toJSON acls;
}; };
aclUpdateScript = pkgs.writeShellScriptBin "tailnet-acl-updater" '' aclUpdateScript = pkgs.writeShellScriptBin
set -eu "tailnet-acl-updater"
''
set -eu
. ${config.sops.secrets.po_env.path} . ${config.sops.secrets.po_env.path}
JQ=${pkgs.jq}/bin/jq JQ=${pkgs.jq}/bin/jq
PO=${inputs.po.packages.${pkgs.system}.po}/bin/po PO=${inputs.po.packages.${pkgs.system}.po}/bin/po
APIURL="https://api.tailscale.com/api/v2/tailnet/-/acl" APIURL="https://api.tailscale.com/api/v2/tailnet/-/acl"
TOKEN="$(cat ${config.sops.secrets.tailnet_acl_manager.path}):" TOKEN="$(cat ${config.sops.secrets.tailnet_acl_manager.path}):"
ERROR="$(${pkgs.curl}/bin/curl "$APIURL/validate" -u "$TOKEN" -d @${tailnetACLs} | $JQ -r .message)" ERROR="$(${pkgs.curl}/bin/curl "$APIURL/validate" -u "$TOKEN" -d @${tailnetACLs} | $JQ -r .message)"
if [ "$ERROR" = "null" ]; then if [ "$ERROR" = "null" ]; then
RESP="$(${pkgs.curl}/bin/curl "$APIURL" -u "$TOKEN" -d @${tailnetACLs} | $JQ -r .message)" RESP="$(${pkgs.curl}/bin/curl "$APIURL" -u "$TOKEN" -d @${tailnetACLs} | $JQ -r .message)"
if [ "$RESP" != "null" ]; then if [ "$RESP" != "null" ]; then
$PO -title "Failed to update TailNet!" -body "$RESP" $PO -title "Failed to update TailNet!" -body "$RESP"
fi
fi fi
fi '';
'';
jobs = [ jobs = [
{ {
name = "update-talenet-acls"; name = "update-talenet-acls";