commit 2154d2208807dbe7f5579138a2a8595b99a66a3c
author Skyler Grey <minion@clicks.codes> Mon Jun 10 17:17:51 2024 +0000
committer Samuel Shuert <coded@clicks.codes> Mon Jun 10 17:29:42 2024 +0000
tree d03f4b5a08f1ba15d01754d925a0bccd5ad66e36
parent 107cb5e892d3f22c9603ff1b2e02f0ae68bc844d

feat(teal): Add headscale ACLs

Currently the ACLs are pretty basic: users (that is currently coded,
minion, pineafan) can access anything. areas (that is devices which we
are running as servers) can only access other areas.

We can work on more complex ACLs in the future, but for now this is
preferable to nothing.

Refs: 36dcad1f5f4583a12c23e160929fda467f5574cbd0aba00d
Change-Id: I07b42bff444eb0d3d766a070578b97460443aa31
Reviewed-on: https://git.clicks.codes/c/Infra/NixFiles/+/745
Reviewed-by: Samuel Shuert <coded@clicks.codes>
Tested-by: Skyler Grey <minion@clicks.codes>

systems/x86_64-linux/teal/default.nix

diff --git a/systems/x86_64-linux/teal/default.nix b/systems/x86_64-linux/teal/default.nix
index a0595cc..7448b92 100644
--- a/systems/x86_64-linux/teal/default.nix
+++ b/systems/x86_64-linux/teal/default.nix
@@ -48,6 +48,31 @@
           config.clicks.secrets."${lib.clicks.secrets.name ./headscale.sops.json}".paths.noise_private_key;
         private_key_path =
           config.clicks.secrets."${lib.clicks.secrets.name ./headscale.sops.json}".paths.private_key;
+        acl = {
+          groups."group:users" = [
+            "minion"
+            "coded"
+            "pineafan"
+          ];
+          groups."group:areas" = [
+            "alpha"
+            "bravo"
+            "charlie"
+          ];
+
+          acls = [
+            {
+              action = "accept";
+              src = [ "group:users" ];
+              dst = [ "*:*" ];
+            }
+            {
+              action = "accept";
+              src = [ "group:areas" ];
+              dst = [ "group:areas:*" ];
+            }
+          ];
+        };
       };
     };