about summary refs log tree commit diff
diff options
context:
space:
mode:
-rw-r--r--nix/tailscale/default.nix19
-rw-r--r--ops/nixos/camden/default.nix9
2 files changed, 27 insertions, 1 deletions
diff --git a/nix/tailscale/default.nix b/nix/tailscale/default.nix
new file mode 100644
index 000000000000..4f533f6d61d2
--- /dev/null
+++ b/nix/tailscale/default.nix
@@ -0,0 +1,19 @@
+# This file defines a Nix helper function to create Tailscale ACL files.
+#
+# https://tailscale.com/kb/1018/install-acls
+
+{ pkgs, ... }:
+
+with pkgs.nix.yants;
+
+let
+  inherit (builtins) toFile toJSON;
+
+  entry = struct "aclEntry" {
+    Action = enum [ "accept" "reject" ];
+    Users = list string;
+    Ports = list string;
+  };
+
+  acl = list entry;
+in entries: toFile "tailscale-acl.json" (toJSON (acl entries))
diff --git a/ops/nixos/camden/default.nix b/ops/nixos/camden/default.nix
index d1d601ecb000..ccb580a15899 100644
--- a/ops/nixos/camden/default.nix
+++ b/ops/nixos/camden/default.nix
@@ -100,8 +100,15 @@ in pkgs.lib.fix(self: {
   services.tailscale = {
     enable = true;
     relayConf = "/etc/tailscale.conf";
-    aclFile = null; # allow all traffic for testing
     package = pkgs.third_party.tailscale;
+    aclFile = pkgs.nix.tailscale [
+      # Allow any traffic from myself
+      {
+        Action = "accept";
+        Users = [ "mail@tazj.in" ];
+        Ports = [ "*:*" ];
+      }
+    ];
   };
 
   system.stateVersion = "19.09";