This repository has been archived by the owner on Nov 12, 2023. It is now read-only.
-
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathtailscale-policy.nix
115 lines (111 loc) · 2.8 KB
/
tailscale-policy.nix
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
let
base = {
acls = [
{
action = "accept";
src = ["iliana@github"];
proto = ["tcp" "udp"];
dst = [
"iliana@github:*"
"autogroup:internet:*"
"100.111.252.113:*"
];
}
{
action = "accept";
src = ["iliana@github"];
proto = "tcp";
dst = [
"tag:home-assistant:80"
"tag:server:22"
];
}
{
action = "accept";
src = ["100.108.35.69"];
proto = "tcp";
dst = ["hydrangea:22"];
}
{
action = "accept";
src = ["autogroup:shared"];
proto = "tcp";
dst = ["100.113.241.94:22"];
}
{
action = "accept";
src = ["tag:tartarus"];
proto = ["tcp" "udp"];
dst = ["100.64.31.59:*"];
}
# Development Oxide control plane on onerous-tooth, via subnet router
{
action = "accept";
src = ["iliana@github"];
proto = ["tcp" "udp"];
dst = [
"192.168.1.0/24:*"
];
}
# DNS resolution for Oxide control plane (needs to be allowed for any exit
# node, because DNS queries are forwarded to the exit node)
{
action = "accept";
src = ["*"];
proto = ["tcp" "udp"];
dst = ["192.168.1.20:53" "192.168.1.21:53"];
}
];
ssh = [];
tags = [
"tag:home-assistant"
"tag:server"
"tag:tartarus"
];
};
inherit (import ./default.nix) sources hosts flunks;
stubConfig = policy:
import (sources.nixpkgs + "/nixos/lib/eval-config.nix") {
modules = [
./modules/base/policy.nix
{iliana.tailscale.policy = policy;}
];
};
configs =
[(stubConfig base)]
++ builtins.attrValues hosts
++ builtins.attrValues (builtins.mapAttrs (_: flunk: stubConfig flunk.meta.flunk.tailscale.policy) flunks);
combinedPolicy = builtins.mapAttrs (attr: _: builtins.concatMap (system: system.config.iliana.tailscale.policy.${attr}) configs) base;
in {
inherit (combinedPolicy) ssh;
acls =
builtins.map
(acl:
if acl.proto == ["tcp" "udp"]
then builtins.removeAttrs acl ["proto"]
else acl)
combinedPolicy.acls;
hosts = builtins.fromJSON (builtins.readFile ./modules/base/hosts.json);
nodeAttrs = [
{
target = ["iliana@github"];
attr = ["funnel"];
}
];
tagOwners = builtins.listToAttrs (builtins.map (name: {
inherit name;
value = ["iliana@github"];
})
combinedPolicy.tags);
tests = [
{
user = "iliana@github";
allow = ["iliana@github:1312" "alecto:53" "1.1.1.1:443" "172.20.3.69:22"];
}
{
user = "tag:server";
allow = ["alecto:53"];
deny = ["iliana@github:22" "tag:server:22" "1.1.1.1:443" "172.20.3.69:22"];
}
];
}