feat(headscale): Add "friends" group to ACL
Friends can access other people's machines, but they aren't allowed to
access our servers. The use-case here is people who should be able to,
e.g., use our headscale instance to play Minecraft with friends but
should not, e.g., be able to access our finances through
https://fava.clicks.codes
Change-Id: Idaed7133c951edb6e1fcd6b0f58f363b65161028
Reviewed-on: https://git.clicks.codes/c/Infra/NixFiles/+/803
Reviewed-by: Skyler Grey <minion@clicks.codes>
Tested-by: Skyler Grey <minion@clicks.codes>
diff --git a/systems/x86_64-linux/teal/default.nix b/systems/x86_64-linux/teal/default.nix
index 83cacf7..a97ccd8 100644
--- a/systems/x86_64-linux/teal/default.nix
+++ b/systems/x86_64-linux/teal/default.nix
@@ -122,6 +122,9 @@
"pineafan"
"zanderp25"
];
+ groups."group:friends" = [
+ "sirdigalot"
+ ];
groups."group:areas" = [
# Some phonetic alphabet names are excluded here to avoid confusing
# them with given names
@@ -151,11 +154,20 @@
src = [ "group:users" ];
dst = [
"group:users:*"
+ "group:friends:*"
"group:areas:*"
] ++ (lib.forEach internet (host: "${host}:*"));
}
{
action = "accept";
+ src = [ "group:friends" ];
+ dst = [
+ "group:users:*"
+ "group:friends:*"
+ ];
+ }
+ {
+ action = "accept";
src = [ "group:areas" ];
dst = [ "group:areas:*" ];
}