muliple(teal): Update teal
feat: Add a.starrysky.blog
feat: re-key keys with shorthairNanoResident age key
chore: update packages
fix: redo headscale options
Change-Id: I27cab9abc4622f0a69811e35d4e0eb87af29b42b
Reviewed-on: https://git.clicks.codes/c/Infra/NixFiles/+/981
Reviewed-by: Skyler Grey <minion@clicks.codes>
Tested-by: Skyler Grey <minion@clicks.codes>
diff --git a/systems/x86_64-linux/teal/default.nix b/systems/x86_64-linux/teal/default.nix
index 8123543..8ccb077 100644
--- a/systems/x86_64-linux/teal/default.nix
+++ b/systems/x86_64-linux/teal/default.nix
@@ -39,12 +39,15 @@
};
sites."docs.auxolotl.org".enable = true;
+ sites."a.starrysky.blog".enable = true;
+ # sites."blog.thecoded.prof".enable = true;
services = {
ssh.enable = true;
headscale = {
enable = true;
domain = "clicks.domains";
+ server_url = "vpn.clicks.codes";
addr = lib.clicks.constants.hosts.generic;
oidc = {
enable = true;
@@ -53,101 +56,63 @@
client_secret_path =
config.age.secrets."clicks.services.headscale.oidc.client_secret_path".path;
};
- database_password_path =
- config.age.secrets."clicks.services.headscale.database_password_path".path;
noise_private_key_path =
config.age.secrets."clicks.services.headscale.noise_private_key_path".path;
- private_key_path =
- config.age.secrets."clicks.services.headscale.private_key_path".path;
- acl =
- let
- internet = [
- "0.0.0.0/5"
- "8.0.0.0/7"
- "11.0.0.0/8"
- "12.0.0.0/6"
- "16.0.0.0/4"
- "32.0.0.0/3"
- "64.0.0.0/3"
- "96.0.0.0/6"
- "100.0.0.0/10"
- "100.128.0.0/9"
- "101.0.0.0/8"
- "102.0.0.0/7"
- "104.0.0.0/5"
- "112.0.0.0/4"
- "128.0.0.0/3"
- "160.0.0.0/5"
- "168.0.0.0/8"
- "169.0.0.0/9"
- "169.128.0.0/10"
- "169.192.0.0/11"
- "169.224.0.0/12"
- "169.240.0.0/13"
- "169.248.0.0/14"
- "169.252.0.0/15"
- "169.255.0.0/16"
- "170.0.0.0/7"
- "172.0.0.0/12"
- "172.32.0.0/11"
- "172.64.0.0/10"
- "172.128.0.0/9"
- "173.0.0.0/8"
- "174.0.0.0/7"
- "176.0.0.0/4"
- "192.0.0.0/9"
- "192.128.0.0/11"
- "192.160.0.0/13"
- "192.169.0.0/16"
- "192.170.0.0/15"
- "192.172.0.0/14"
- "192.176.0.0/12"
- "192.192.0.0/10"
- "193.0.0.0/8"
- "194.0.0.0/7"
- "196.0.0.0/6"
- "200.0.0.0/5"
- "208.0.0.0/4"
- "224.0.0.0/3"
- "ipv6-internet"
- # A nasty hack used because ipv6 colons were messing with dst
- # ports
- ]; # Should be replaceable with autogroup:internet in next release
- in
+ acl = let
+ permitted_area_names = [
+ # Some phonetic alphabet names are excluded here to avoid confusing
+ # them with given names
+ "alpha"
+ "bravo"
+ "delta"
+ "echo"
+ "foxtrot"
+ "golf"
+ "hotel"
+ "india"
+ "kilo"
+ "lima"
+ "november"
+ "papa"
+ "quebec"
+ "sierra"
+ "tango"
+ "uniform"
+ "whiskey"
+ "xray"
+ "yankee"
+ "zulu"
+ ];
+
+ assigned_areas = {
+ "alpha" = "coded";
+ "bravo" = "minion";
+ "echo" = "maddie";
+ "sierra" = "pineafan";
+ "tango" = "mostlyturquoise";
+ "zulu" = "zanderp25";
+ };
+
+ users = [
+ "coded"
+ "maddie"
+ "minion"
+ "pineafan"
+ "zanderp25"
+ "mostlyturquoise"
+ ];
+
+ friends = [
+ "sirdigalot"
+ ];
+ in
{
- groups."group:users" = [
+ groups."group:maintainer" = [
"coded"
- "maddie"
"minion"
- "pineafan"
- "zanderp25"
- "mostlyturquoise"
];
- groups."group:friends" = [
- "sirdigalot"
- ];
- groups."group:areas" = [
- # Some phonetic alphabet names are excluded here to avoid confusing
- # them with given names
- "alpha"
- "bravo"
- "echo"
- "foxtrot"
- "hotel"
- "india"
- "kilo"
- "lima"
- "november"
- "papa"
- "sierra"
- "tango"
- "uniform"
- "whiskey"
- "xray"
- "yankee"
- "zulu"
- ];
- hosts.ipv6-internet = "2000::/3";
+ groups."group:users" = users;
+ groups."group:friends" = friends;
acls = [
{
@@ -156,8 +121,8 @@
dst = [
"group:users:*"
"group:friends:*"
- "group:areas:*"
- ] ++ (lib.forEach internet (host: "${host}:*"));
+ "autogroup:internet:*"
+ ] ++ (map (tag: "tag:${tag}:*") permitted_area_names);
}
{
action = "accept";
@@ -169,8 +134,8 @@
}
{
action = "accept";
- src = [ "group:areas" ];
- dst = [ "group:areas:*" ];
+ src = (map (tag: "tag:${tag}") permitted_area_names);
+ dst = (map (tag: "tag:${tag}:*") permitted_area_names);
}
{
action = "accept";
@@ -178,6 +143,49 @@
dst = [ "zanderp25:3000" ];
}
];
+
+ ssh = [
+ {
+ action = "check";
+ src = ["group:users"];
+ dst = (map (tag: "tag:${tag}") permitted_area_names);
+ checkPeriod = "8h";
+ acceptEnv = [
+ "BAT_THEME"
+ "COLORTERM"
+ "JQ_COLORS"
+ "LANG"
+ "LS_COLORS"
+ "LSCOLORS"
+ "TERM"
+ ];
+ }
+ ] ++ (lib.attrsets.mapAttrsToList (area: user: {
+ action = "check";
+ src = [ user ];
+ dst = [ "tag:${area}" ];
+ checkPeriod = "2h";
+ users = [ "root" "autogroup:nonroot" ];
+ acceptEnv = [ "*" ];
+ }) assigned_areas) ++ (map (user: {
+ action = "check";
+ src = [ user ];
+ dst = [ user ];
+ checkPeriod = "2h";
+ users = [ "root" "autogroup:nonroot" ];
+ acceptEnv = [ "*" ];
+ }) (users ++ friends));
+
+ tagOwners = (lib.pipe permitted_area_names [
+ (map (area: {
+ name = "tag:${area}";
+ value = [ "group:maintainer" ];
+ }))
+ lib.listToAttrs
+ ]) // (lib.attrsets.mapAttrs' (area: user: {
+ name = "tag:${area}";
+ value = [ "group:maintainer" user ];
+ }) assigned_areas);
};
};
fava = {
@@ -325,16 +333,8 @@
rekeyFile = ./clicks.services.headscale.oidc.client_secret_path.age;
group = "headscale";
};
- age.secrets."clicks.services.headscale.database_password_path" = {
- rekeyFile = ./clicks.services.headscale.database_password_path.age;
- group = "headscale";
- };
age.secrets."clicks.services.headscale.noise_private_key_path" = {
rekeyFile = ./clicks.services.headscale.noise_private_key_path.age;
group = "headscale";
};
- age.secrets."clicks.services.headscale.private_key_path" = {
- rekeyFile = ./clicks.services.headscale.private_key_path.age;
- group = "headscale";
- };
}