configs/tailnet: start managing tailnet ACLs

This commit is contained in:
Aaron Bieber 2023-07-27 09:51:55 -06:00
parent 4328ac5b98
commit ff23ee6e56
No known key found for this signature in database
4 changed files with 126 additions and 20 deletions

View File

@ -25,6 +25,8 @@ in
};
};
imports = [./tailnet.nix];
config = mkIf config.nixManager.enable {
sops.defaultSopsFile = config.xin-secrets.manager;
sops.secrets = {
@ -36,11 +38,13 @@ in
ca_cert = {owner = config.nixManager.user;};
po_env = {owner = config.nixManager.user;};
};
environment.systemPackages = [
microca
inputs.xintray.packages.${pkgs.system}.xintray
inputs.po.packages.${pkgs.system}.po
];
networking = {
hosts = {
"66.135.2.235" = ["ns1"];

102
configs/tailnet.nix Normal file
View File

@ -0,0 +1,102 @@
{
config,
pkgs,
lib,
inputs,
xinlib,
...
}: let
tailnetACLs = let
acls = {
hosts = {
europa = "100.92.31.80";
startpage = "100.120.84.116";
startdev = "100.92.56.119";
go = "100.117.47.51";
nbc = "100.122.61.43"; # nix-binary-cache
console = "100.87.112.70";
box = "100.120.151.126";
};
tagOwners = {
"tag:untrusted" = ["qbit@github"];
"tag:minservice" = ["qbit@github"];
"tag:apper" = ["qbit@github"];
"tag:golink" = ["qbit@github"];
"tag:lab" = ["qbit@github"];
};
acls = [
{
action = "accept";
src = ["tag:untrusted"];
dst = [
"europa:22"
"europa:12304"
"startpage:443"
"startdev:443"
"go:80"
"tag:lab:22"
"nbc:443"
];
}
{
action = "accept";
src = ["tag:minservice"];
dst = ["*:22" "box:3030" "nbc:443" "console:2222"];
}
{
action = "accept";
src = ["qbit@github"];
dst = ["*:*"];
}
];
};
in
pkgs.writeTextFile {
name = "tailnet-acls.json";
text = builtins.toJSON acls;
};
aclUpdateScript = pkgs.writeShellScriptBin "tailnet-acl-updater" ''
set -eu
. ${config.sops.secrets.po_env.path}
JQ=${pkgs.jq}/bin/jq
PO=${inputs.po.packages.${pkgs.system}.po}/bin/po
APIURL="https://api.tailscale.com/api/v2/tailnet/-/acl"
TOKEN="$(cat ${config.sops.secrets.tailnet_acl_manager.path}):"
ERROR="$(${pkgs.curl}/bin/curl "$APIURL/validate" -u "$TOKEN" -d @${tailnetACLs} | $JQ -r .message)"
if [ "$ERROR" = "null" ]; then
RESP="$(${pkgs.curl}/bin/curl "$APIURL" -u "$TOKEN" -d @${tailnetACLs} | $JQ -r .message)"
if [ "$RESP" != "null" ]; then
$PO -title "Failed to update TailNet!" -body "$RESP"
fi
fi
'';
jobs = [
{
name = "update-talenet-acls";
script = "${aclUpdateScript}/bin/tailnet-acl-updater";
startAt = "*:30:00";
path = [];
inherit (config.nixManager) user;
}
];
in
with lib; {
sops.secrets = {
tailnet_acl_manager = {
owner = config.nixManager.user;
sopsFile = config.xin-secrets.manager;
};
po_env = {
owner = config.nixManager.user;
sopsFile = config.xin-secrets.manager;
};
};
systemd.services = listToAttrs (builtins.map xinlib.jobToService jobs);
}

8
flake.lock generated
View File

@ -437,11 +437,11 @@
"stable": "stable_2"
},
"locked": {
"lastModified": 1686765987,
"narHash": "sha256-dwT4w+dFG5ovM9ip32fj54I8Bq427SQZ91X/wJ3mhXU=",
"lastModified": 1690469873,
"narHash": "sha256-ohAEIlsdUeOiIxsmN8GU6M5Ui0p1kChkxWQ+dYQGNTk=",
"ref": "main",
"rev": "4019a419bd9ab0e927d44cb4ff4b84654de90712",
"revCount": 100,
"rev": "aa792f779df5b2227b6087c8a04cc88dec0f506a",
"revCount": 101,
"type": "git",
"url": "ssh://xin-secrets-ro/qbit/xin-secrets.git"
},

View File

@ -230,21 +230,21 @@
];
};
weatherzero = buildSys "armv6l" stable [
"${stable}/nixos/modules/installer/sd-card/sd-image-raspberrypi.nix"
{
nixpkgs = {
buildPlatform = {
system = "x86_64-linux";
config = "x86_64-unknown-linux-gnu";
};
hostPlatform = {
system = "armv6l-linux";
config = "armv6l-unknown-linux-gnueabihf";
};
};
}
] "weatherzero";
#weatherzero = buildSys "armv6l" stable [
# "${stable}/nixos/modules/installer/sd-card/sd-image-raspberrypi.nix"
# {
# nixpkgs = {
# buildPlatform = {
# system = "x86_64-linux";
# config = "x86_64-unknown-linux-gnu";
# };
# hostPlatform = {
# system = "armv6l-linux";
# config = "armv6l-unknown-linux-gnueabihf";
# };
# };
# }
#] "weatherzero";
isoInstall = stable.lib.nixosSystem {
system = "x86_64-linux";
@ -346,7 +346,7 @@
};
checks = let
buildList = ["europa" "stan" "h" "box" "faf" "weatherzero"];
buildList = ["europa" "stan" "h" "box" "faf"];
in
with unstable.lib;
foldl' recursiveUpdate {} (mapAttrsToList (name: system: {