configs/tailnet: start managing tailnet ACLs
This commit is contained in:
parent
4328ac5b98
commit
ff23ee6e56
@ -25,6 +25,8 @@ in
|
||||
};
|
||||
};
|
||||
|
||||
imports = [./tailnet.nix];
|
||||
|
||||
config = mkIf config.nixManager.enable {
|
||||
sops.defaultSopsFile = config.xin-secrets.manager;
|
||||
sops.secrets = {
|
||||
@ -36,11 +38,13 @@ in
|
||||
ca_cert = {owner = config.nixManager.user;};
|
||||
po_env = {owner = config.nixManager.user;};
|
||||
};
|
||||
|
||||
environment.systemPackages = [
|
||||
microca
|
||||
inputs.xintray.packages.${pkgs.system}.xintray
|
||||
inputs.po.packages.${pkgs.system}.po
|
||||
];
|
||||
|
||||
networking = {
|
||||
hosts = {
|
||||
"66.135.2.235" = ["ns1"];
|
||||
|
102
configs/tailnet.nix
Normal file
102
configs/tailnet.nix
Normal file
@ -0,0 +1,102 @@
|
||||
{
|
||||
config,
|
||||
pkgs,
|
||||
lib,
|
||||
inputs,
|
||||
xinlib,
|
||||
...
|
||||
}: let
|
||||
tailnetACLs = let
|
||||
acls = {
|
||||
hosts = {
|
||||
europa = "100.92.31.80";
|
||||
startpage = "100.120.84.116";
|
||||
startdev = "100.92.56.119";
|
||||
go = "100.117.47.51";
|
||||
nbc = "100.122.61.43"; # nix-binary-cache
|
||||
console = "100.87.112.70";
|
||||
box = "100.120.151.126";
|
||||
};
|
||||
|
||||
tagOwners = {
|
||||
"tag:untrusted" = ["qbit@github"];
|
||||
"tag:minservice" = ["qbit@github"];
|
||||
"tag:apper" = ["qbit@github"];
|
||||
"tag:golink" = ["qbit@github"];
|
||||
"tag:lab" = ["qbit@github"];
|
||||
};
|
||||
|
||||
acls = [
|
||||
{
|
||||
action = "accept";
|
||||
src = ["tag:untrusted"];
|
||||
dst = [
|
||||
"europa:22"
|
||||
"europa:12304"
|
||||
"startpage:443"
|
||||
"startdev:443"
|
||||
"go:80"
|
||||
"tag:lab:22"
|
||||
"nbc:443"
|
||||
];
|
||||
}
|
||||
{
|
||||
action = "accept";
|
||||
src = ["tag:minservice"];
|
||||
dst = ["*:22" "box:3030" "nbc:443" "console:2222"];
|
||||
}
|
||||
{
|
||||
action = "accept";
|
||||
src = ["qbit@github"];
|
||||
dst = ["*:*"];
|
||||
}
|
||||
];
|
||||
};
|
||||
in
|
||||
pkgs.writeTextFile {
|
||||
name = "tailnet-acls.json";
|
||||
text = builtins.toJSON acls;
|
||||
};
|
||||
aclUpdateScript = pkgs.writeShellScriptBin "tailnet-acl-updater" ''
|
||||
set -eu
|
||||
|
||||
. ${config.sops.secrets.po_env.path}
|
||||
|
||||
JQ=${pkgs.jq}/bin/jq
|
||||
PO=${inputs.po.packages.${pkgs.system}.po}/bin/po
|
||||
|
||||
APIURL="https://api.tailscale.com/api/v2/tailnet/-/acl"
|
||||
TOKEN="$(cat ${config.sops.secrets.tailnet_acl_manager.path}):"
|
||||
|
||||
ERROR="$(${pkgs.curl}/bin/curl "$APIURL/validate" -u "$TOKEN" -d @${tailnetACLs} | $JQ -r .message)"
|
||||
|
||||
if [ "$ERROR" = "null" ]; then
|
||||
RESP="$(${pkgs.curl}/bin/curl "$APIURL" -u "$TOKEN" -d @${tailnetACLs} | $JQ -r .message)"
|
||||
if [ "$RESP" != "null" ]; then
|
||||
$PO -title "Failed to update TailNet!" -body "$RESP"
|
||||
fi
|
||||
fi
|
||||
'';
|
||||
jobs = [
|
||||
{
|
||||
name = "update-talenet-acls";
|
||||
script = "${aclUpdateScript}/bin/tailnet-acl-updater";
|
||||
startAt = "*:30:00";
|
||||
path = [];
|
||||
inherit (config.nixManager) user;
|
||||
}
|
||||
];
|
||||
in
|
||||
with lib; {
|
||||
sops.secrets = {
|
||||
tailnet_acl_manager = {
|
||||
owner = config.nixManager.user;
|
||||
sopsFile = config.xin-secrets.manager;
|
||||
};
|
||||
po_env = {
|
||||
owner = config.nixManager.user;
|
||||
sopsFile = config.xin-secrets.manager;
|
||||
};
|
||||
};
|
||||
systemd.services = listToAttrs (builtins.map xinlib.jobToService jobs);
|
||||
}
|
8
flake.lock
generated
8
flake.lock
generated
@ -437,11 +437,11 @@
|
||||
"stable": "stable_2"
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1686765987,
|
||||
"narHash": "sha256-dwT4w+dFG5ovM9ip32fj54I8Bq427SQZ91X/wJ3mhXU=",
|
||||
"lastModified": 1690469873,
|
||||
"narHash": "sha256-ohAEIlsdUeOiIxsmN8GU6M5Ui0p1kChkxWQ+dYQGNTk=",
|
||||
"ref": "main",
|
||||
"rev": "4019a419bd9ab0e927d44cb4ff4b84654de90712",
|
||||
"revCount": 100,
|
||||
"rev": "aa792f779df5b2227b6087c8a04cc88dec0f506a",
|
||||
"revCount": 101,
|
||||
"type": "git",
|
||||
"url": "ssh://xin-secrets-ro/qbit/xin-secrets.git"
|
||||
},
|
||||
|
32
flake.nix
32
flake.nix
@ -230,21 +230,21 @@
|
||||
];
|
||||
};
|
||||
|
||||
weatherzero = buildSys "armv6l" stable [
|
||||
"${stable}/nixos/modules/installer/sd-card/sd-image-raspberrypi.nix"
|
||||
{
|
||||
nixpkgs = {
|
||||
buildPlatform = {
|
||||
system = "x86_64-linux";
|
||||
config = "x86_64-unknown-linux-gnu";
|
||||
};
|
||||
hostPlatform = {
|
||||
system = "armv6l-linux";
|
||||
config = "armv6l-unknown-linux-gnueabihf";
|
||||
};
|
||||
};
|
||||
}
|
||||
] "weatherzero";
|
||||
#weatherzero = buildSys "armv6l" stable [
|
||||
# "${stable}/nixos/modules/installer/sd-card/sd-image-raspberrypi.nix"
|
||||
# {
|
||||
# nixpkgs = {
|
||||
# buildPlatform = {
|
||||
# system = "x86_64-linux";
|
||||
# config = "x86_64-unknown-linux-gnu";
|
||||
# };
|
||||
# hostPlatform = {
|
||||
# system = "armv6l-linux";
|
||||
# config = "armv6l-unknown-linux-gnueabihf";
|
||||
# };
|
||||
# };
|
||||
# }
|
||||
#] "weatherzero";
|
||||
|
||||
isoInstall = stable.lib.nixosSystem {
|
||||
system = "x86_64-linux";
|
||||
@ -346,7 +346,7 @@
|
||||
};
|
||||
|
||||
checks = let
|
||||
buildList = ["europa" "stan" "h" "box" "faf" "weatherzero"];
|
||||
buildList = ["europa" "stan" "h" "box" "faf"];
|
||||
in
|
||||
with unstable.lib;
|
||||
foldl' recursiveUpdate {} (mapAttrsToList (name: system: {
|
||||
|
Loading…
Reference in New Issue
Block a user