configs/tailnet: start managing tailnet ACLs

configs/manager.nix

@@ -25,6 +25,8 @@ in
       };
     };
 
+    imports = [./tailnet.nix];
+
     config = mkIf config.nixManager.enable {
       sops.defaultSopsFile = config.xin-secrets.manager;
       sops.secrets = {
@@ -36,11 +38,13 @@ in
         ca_cert = {owner = config.nixManager.user;};
         po_env = {owner = config.nixManager.user;};
       };
+
       environment.systemPackages = [
         microca
         inputs.xintray.packages.${pkgs.system}.xintray
         inputs.po.packages.${pkgs.system}.po
       ];
+
       networking = {
         hosts = {
           "66.135.2.235" = ["ns1"];

configs/tailnet.nix

@@ -0,0 +1,102 @@
+{
+  config,
+  pkgs,
+  lib,
+  inputs,
+  xinlib,
+  ...
+}: let
+  tailnetACLs = let
+    acls = {
+      hosts = {
+        europa = "100.92.31.80";
+        startpage = "100.120.84.116";
+        startdev = "100.92.56.119";
+        go = "100.117.47.51";
+        nbc = "100.122.61.43"; # nix-binary-cache
+        console = "100.87.112.70";
+        box = "100.120.151.126";
+      };
+
+      tagOwners = {
+        "tag:untrusted" = ["qbit@github"];
+        "tag:minservice" = ["qbit@github"];
+        "tag:apper" = ["qbit@github"];
+        "tag:golink" = ["qbit@github"];
+        "tag:lab" = ["qbit@github"];
+      };
+
+      acls = [
+        {
+          action = "accept";
+          src = ["tag:untrusted"];
+          dst = [
+            "europa:22"
+            "europa:12304"
+            "startpage:443"
+            "startdev:443"
+            "go:80"
+            "tag:lab:22"
+            "nbc:443"
+          ];
+        }
+        {
+          action = "accept";
+          src = ["tag:minservice"];
+          dst = ["*:22" "box:3030" "nbc:443" "console:2222"];
+        }
+        {
+          action = "accept";
+          src = ["qbit@github"];
+          dst = ["*:*"];
+        }
+      ];
+    };
+  in
+    pkgs.writeTextFile {
+      name = "tailnet-acls.json";
+      text = builtins.toJSON acls;
+    };
+  aclUpdateScript = pkgs.writeShellScriptBin "tailnet-acl-updater" ''
+    set -eu
+
+    . ${config.sops.secrets.po_env.path}
+
+    JQ=${pkgs.jq}/bin/jq
+    PO=${inputs.po.packages.${pkgs.system}.po}/bin/po
+
+    APIURL="https://api.tailscale.com/api/v2/tailnet/-/acl"
+    TOKEN="$(cat ${config.sops.secrets.tailnet_acl_manager.path}):"
+
+    ERROR="$(${pkgs.curl}/bin/curl "$APIURL/validate" -u "$TOKEN" -d @${tailnetACLs} | $JQ -r .message)"
+
+    if [ "$ERROR" = "null" ]; then
+      RESP="$(${pkgs.curl}/bin/curl "$APIURL" -u "$TOKEN" -d @${tailnetACLs} | $JQ -r .message)"
+      if [ "$RESP" != "null" ]; then
+        $PO -title "Failed to update TailNet!" -body "$RESP"
+      fi
+    fi
+  '';
+  jobs = [
+    {
+      name = "update-talenet-acls";
+      script = "${aclUpdateScript}/bin/tailnet-acl-updater";
+      startAt = "*:30:00";
+      path = [];
+      inherit (config.nixManager) user;
+    }
+  ];
+in
+  with lib; {
+    sops.secrets = {
+      tailnet_acl_manager = {
+        owner = config.nixManager.user;
+        sopsFile = config.xin-secrets.manager;
+      };
+      po_env = {
+        owner = config.nixManager.user;
+        sopsFile = config.xin-secrets.manager;
+      };
+    };
+    systemd.services = listToAttrs (builtins.map xinlib.jobToService jobs);
+  }

flake.lock

@@ -437,11 +437,11 @@
         "stable": "stable_2"
       },
       "locked": {
-        "lastModified": 1686765987,
+        "lastModified": 1690469873,
-        "narHash": "sha256-dwT4w+dFG5ovM9ip32fj54I8Bq427SQZ91X/wJ3mhXU=",
+        "narHash": "sha256-ohAEIlsdUeOiIxsmN8GU6M5Ui0p1kChkxWQ+dYQGNTk=",
         "ref": "main",
-        "rev": "4019a419bd9ab0e927d44cb4ff4b84654de90712",
+        "rev": "aa792f779df5b2227b6087c8a04cc88dec0f506a",
-        "revCount": 100,
+        "revCount": 101,
         "type": "git",
         "url": "ssh://xin-secrets-ro/qbit/xin-secrets.git"
       },

flake.nix

@@ -230,21 +230,21 @@
         ];
       };
 
-      weatherzero = buildSys "armv6l" stable [
+      #weatherzero = buildSys "armv6l" stable [
-        "${stable}/nixos/modules/installer/sd-card/sd-image-raspberrypi.nix"
+      #  "${stable}/nixos/modules/installer/sd-card/sd-image-raspberrypi.nix"
-        {
+      #  {
-          nixpkgs = {
+      #    nixpkgs = {
-            buildPlatform = {
+      #      buildPlatform = {
-              system = "x86_64-linux";
+      #        system = "x86_64-linux";
-              config = "x86_64-unknown-linux-gnu";
+      #        config = "x86_64-unknown-linux-gnu";
-            };
+      #      };
-            hostPlatform = {
+      #      hostPlatform = {
-              system = "armv6l-linux";
+      #        system = "armv6l-linux";
-              config = "armv6l-unknown-linux-gnueabihf";
+      #        config = "armv6l-unknown-linux-gnueabihf";
-            };
+      #      };
-          };
+      #    };
-        }
+      #  }
-      ] "weatherzero";
+      #] "weatherzero";
 
       isoInstall = stable.lib.nixosSystem {
         system = "x86_64-linux";
@@ -346,7 +346,7 @@
     };
 
     checks = let
-      buildList = ["europa" "stan" "h" "box" "faf" "weatherzero"];
+      buildList = ["europa" "stan" "h" "box" "faf"];
     in
       with unstable.lib;
         foldl' recursiveUpdate {} (mapAttrsToList (name: system: {