diff --git a/nix/tailscale/default.nix b/nix/tailscale/default.nix index 4f533f6d6..d836850aa 100644 --- a/nix/tailscale/default.nix +++ b/nix/tailscale/default.nix @@ -9,11 +9,22 @@ with pkgs.nix.yants; let inherit (builtins) toFile toJSON; - entry = struct "aclEntry" { + acl = struct "acl" { Action = enum [ "accept" "reject" ]; Users = list string; Ports = list string; }; - acl = list entry; -in entries: toFile "tailscale-acl.json" (toJSON (acl entries)) + acls = list entry; + + aclConfig = struct "aclConfig" { + # Static group mappings from group names to lists of users + Groups = option (attrs (list string)); + + # Hostname aliases to use in place of IPs + Hosts = option (attrs string); + + # Actual ACL entries + ACLs = list acl; + }; +in config: toFile "tailscale-acl.json" (toJSON (aclConfig config)) diff --git a/ops/nixos/camden/default.nix b/ops/nixos/camden/default.nix index e809446bb..64f1e8d54 100644 --- a/ops/nixos/camden/default.nix +++ b/ops/nixos/camden/default.nix @@ -109,14 +109,16 @@ in pkgs.lib.fix(self: { enable = true; relayConf = "/etc/tailscale.conf"; package = pkgs.third_party.tailscale; - aclFile = pkgs.nix.tailscale [ - # Allow any traffic from myself - { - Action = "accept"; - Users = [ "mail@tazj.in" ]; - Ports = [ "*:*" ]; - } - ]; + aclFile = pkgs.nix.tailscale { + ACLs = [ + # Allow any traffic from myself + { + Action = "accept"; + Users = [ "mail@tazj.in" ]; + Ports = [ "*:*" ]; + } + ]; + } ; }; # serve my website