From df1a4fef2bcf20a3b54f2fc1b4c8220d663d04cd Mon Sep 17 00:00:00 2001
From: Vincent Ambo <tazjin@google.com>
Date: Tue, 11 Feb 2020 16:36:28 +0000
Subject: feat(nix/tailscale): Add function for generating tailscale ACLs

... and use it on Camden!
---
 nix/tailscale/default.nix    | 19 +++++++++++++++++++
 ops/nixos/camden/default.nix |  9 ++++++++-
 2 files changed, 27 insertions(+), 1 deletion(-)
 create mode 100644 nix/tailscale/default.nix

diff --git a/nix/tailscale/default.nix b/nix/tailscale/default.nix
new file mode 100644
index 0000000000..4f533f6d61
--- /dev/null
+++ b/nix/tailscale/default.nix
@@ -0,0 +1,19 @@
+# This file defines a Nix helper function to create Tailscale ACL files.
+#
+# https://tailscale.com/kb/1018/install-acls
+
+{ pkgs, ... }:
+
+with pkgs.nix.yants;
+
+let
+  inherit (builtins) toFile toJSON;
+
+  entry = struct "aclEntry" {
+    Action = enum [ "accept" "reject" ];
+    Users = list string;
+    Ports = list string;
+  };
+
+  acl = list entry;
+in entries: toFile "tailscale-acl.json" (toJSON (acl entries))
diff --git a/ops/nixos/camden/default.nix b/ops/nixos/camden/default.nix
index d1d601ecb0..ccb580a158 100644
--- a/ops/nixos/camden/default.nix
+++ b/ops/nixos/camden/default.nix
@@ -100,8 +100,15 @@ in pkgs.lib.fix(self: {
   services.tailscale = {
     enable = true;
     relayConf = "/etc/tailscale.conf";
-    aclFile = null; # allow all traffic for testing
     package = pkgs.third_party.tailscale;
+    aclFile = pkgs.nix.tailscale [
+      # Allow any traffic from myself
+      {
+        Action = "accept";
+        Users = [ "mail@tazj.in" ];
+        Ports = [ "*:*" ];
+      }
+    ];
   };
 
   system.stateVersion = "19.09";
-- 
cgit 1.4.1