about summary refs log tree commit diff
diff options
context:
space:
mode:
-rw-r--r--nix/tailscale/default.nix17
-rw-r--r--ops/nixos/camden/default.nix18
2 files changed, 24 insertions, 11 deletions
diff --git a/nix/tailscale/default.nix b/nix/tailscale/default.nix
index 4f533f6d61d2..d836850aa112 100644
--- a/nix/tailscale/default.nix
+++ b/nix/tailscale/default.nix
@@ -9,11 +9,22 @@ with pkgs.nix.yants;
 let
   inherit (builtins) toFile toJSON;
 
-  entry = struct "aclEntry" {
+  acl = struct "acl" {
     Action = enum [ "accept" "reject" ];
     Users = list string;
     Ports = list string;
   };
 
-  acl = list entry;
-in entries: toFile "tailscale-acl.json" (toJSON (acl entries))
+  acls = list entry;
+
+  aclConfig = struct "aclConfig" {
+    # Static group mappings from group names to lists of users
+    Groups = option (attrs (list string));
+
+    # Hostname aliases to use in place of IPs
+    Hosts = option (attrs string);
+
+    # Actual ACL entries
+    ACLs = list acl;
+  };
+in config: toFile "tailscale-acl.json" (toJSON (aclConfig config))
diff --git a/ops/nixos/camden/default.nix b/ops/nixos/camden/default.nix
index e809446bb6d5..64f1e8d54dd5 100644
--- a/ops/nixos/camden/default.nix
+++ b/ops/nixos/camden/default.nix
@@ -109,14 +109,16 @@ in pkgs.lib.fix(self: {
     enable = true;
     relayConf = "/etc/tailscale.conf";
     package = pkgs.third_party.tailscale;
-    aclFile = pkgs.nix.tailscale [
-      # Allow any traffic from myself
-      {
-        Action = "accept";
-        Users = [ "mail@tazj.in" ];
-        Ports = [ "*:*" ];
-      }
-    ];
+    aclFile = pkgs.nix.tailscale {
+      ACLs = [
+        # Allow any traffic from myself
+        {
+          Action = "accept";
+          Users = [ "mail@tazj.in" ];
+          Ports = [ "*:*" ];
+        }
+      ];
+    } ;
   };
 
   # serve my website