+6 -28

hosts/wolumonde/modules/headscale.nix/acl.hujson

reviewed

··· 1 1 { 2 2 - // Headscale ACL Configuration 3 3 - // Defines groups, tags, and access control rules 4 4 - 5 5 - // Groups define collections of users 6 2 "groups": { 7 7 - "group:admin": ["90008@"], 3 3 + "group:admin": ["90008@gaze.systems"], 8 4 }, 9 9 - 10 10 - // Tags are used to label devices/nodes for access control 11 5 "tagOwners": { 12 6 "tag:private-infra": ["group:admin"], 13 7 "tag:other-infra": ["group:admin"], 14 8 }, 15 15 - 16 16 - // Access Control Lists - define what can access what 17 9 "acls": [ 18 18 - // Admin group (user 90008) can access their own devices 19 10 { 20 11 "action": "accept", 21 12 "src": ["group:admin"], 22 22 - "dst": ["group:admin:*"], 13 13 + "dst": ["tag:private-infra:*", "tag:other-infra:*"], 23 14 }, 24 24 - 25 25 - // Private infrastructure can access other infrastructure 26 15 { 27 16 "action": "accept", 28 17 "src": ["tag:private-infra"], 29 18 "dst": ["tag:other-infra:*"], 30 19 }, 31 31 - 32 32 - // Private infrastructure can access itself 33 20 { 34 21 "action": "accept", 35 35 - "src": ["tag:private-infra"], 36 36 - "dst": ["tag:private-infra:*"], 22 22 + "src": ["90008@gaze.systems"], 23 23 + "dst": ["90008@gaze.systems:*"], 37 24 }, 38 38 - 39 39 - // Other infrastructure can access itself 40 25 { 41 26 "action": "accept", 42 42 - "src": ["tag:other-infra"], 43 43 - "dst": ["tag:other-infra:*"], 44 44 - }, 45 45 - 46 46 - // Admin group can access both infrastructure tags 47 47 - { 48 48 - "action": "accept", 49 49 - "src": ["group:admin"], 50 50 - "dst": ["tag:private-infra:*", "tag:other-infra:*"], 27 27 + "src": ["90008@gaze.systems", "tag:private-infra"], 28 28 + "dst": ["autogroup:internet:*"], 51 29 }, 52 30 ], 53 31 }

+1 -1

hosts/wolumonde/modules/headscale.nix/default.nix

reviewed

··· 17 17 server_url = "https://${domain}"; 18 18 policy = { 19 19 mode = "file"; 20 20 - file = ./acl.hujson; 20 20 + path = ./acl.hujson; 21 21 }; 22 22 dns = { 23 23 base_domain = "lan.${rootDomain}";

-60

hosts/wolumonde/modules/nsid-tracker.disabled

reviewed

··· 1 1 - { 2 2 - pkgs, 3 3 - terra, 4 4 - inputs, 5 5 - ... 6 6 - }: 7 7 - let 8 8 - client-modules = 9 9 - (pkgs.callPackage "${inputs.nsid-tracker}/nix/client-modules.nix" {}) 10 10 - .overrideAttrs (_: { 11 11 - outputHash = "sha256-TzTafbNTng/mMyf0yR9Rc6XS9/zzipwmK9SUWm2XxeY="; 12 12 - }); 13 13 - client = pkgs.callPackage "${inputs.nsid-tracker}/nix/client.nix" { 14 14 - PUBLIC_API_URL = "gaze.systems/nsid-tracker/api"; 15 15 - inherit client-modules; 16 16 - }; 17 17 - server = terra.nsid-tracker-server; 18 18 - port = 6432; 19 19 - in 20 20 - { 21 21 - users.users.nsidtracker = { 22 22 - isSystemUser = true; 23 23 - home = "/mnt/data/nsid-tracker"; 24 24 - createHome = true; 25 25 - group = "nsidtracker"; 26 26 - }; 27 27 - users.groups.nsidtracker = { }; 28 28 - 29 29 - systemd.services.nsid-tracker = { 30 30 - description = "nsid-tracker"; 31 31 - wantedBy = [ "multi-user.target" ]; 32 32 - after = [ "network.target" ]; 33 33 - environment = { 34 34 - HOME = "/mnt/data/nsid-tracker"; 35 35 - PORT = toString port; 36 36 - }; 37 37 - serviceConfig = { 38 38 - User = "nsidtracker"; 39 39 - ExecStart = "${server}/bin/server"; 40 40 - Restart = "on-failure"; 41 41 - RestartSec = 5; 42 42 - WorkingDirectory = "/mnt/data/nsid-tracker"; 43 43 - }; 44 44 - }; 45 45 - 46 46 - services.nginx.virtualHosts."gaze.systems" = { 47 47 - locations."/nsid-tracker/api" = { 48 48 - proxyPass = "http://localhost:${toString port}/"; 49 49 - proxyWebsockets = true; 50 50 - extraConfig = '' 51 51 - rewrite ^/nsid-tracker/api/(.*) /$1 break; 52 52 - ''; 53 53 - }; 54 54 - locations."/nsid-tracker".return = "301 /nsid-tracker/"; 55 55 - locations."/nsid-tracker/" = { 56 56 - alias = "${client}/"; 57 57 - tryFiles = "$uri $uri/ /index.html"; 58 58 - }; 59 59 - }; 60 60 - }

+60

hosts/wolumonde/modules/nsid-tracker.nix

reviewed

··· 1 1 + { 2 2 + pkgs, 3 3 + terra, 4 4 + inputs, 5 5 + ... 6 6 + }: 7 7 + let 8 8 + client-modules = 9 9 + (pkgs.callPackage "${inputs.nsid-tracker}/nix/client-modules.nix" {}) 10 10 + .overrideAttrs (_: { 11 11 + outputHash = "sha256-TzTafbNTng/mMyf0yR9Rc6XS9/zzipwmK9SUWm2XxeY="; 12 12 + }); 13 13 + client = pkgs.callPackage "${inputs.nsid-tracker}/nix/client.nix" { 14 14 + PUBLIC_API_URL = "gaze.systems/nsid-tracker/api"; 15 15 + inherit client-modules; 16 16 + }; 17 17 + # server = terra.nsid-tracker-server; 18 18 + port = 3713; 19 19 + in 20 20 + { 21 21 + # users.users.nsidtracker = { 22 22 + # isSystemUser = true; 23 23 + # home = "/mnt/data/nsid-tracker"; 24 24 + # createHome = true; 25 25 + # group = "nsidtracker"; 26 26 + # }; 27 27 + # users.groups.nsidtracker = { }; 28 28 + 29 29 + # systemd.services.nsid-tracker = { 30 30 + # description = "nsid-tracker"; 31 31 + # wantedBy = [ "multi-user.target" ]; 32 32 + # after = [ "network.target" ]; 33 33 + # environment = { 34 34 + # HOME = "/mnt/data/nsid-tracker"; 35 35 + # PORT = toString port; 36 36 + # }; 37 37 + # serviceConfig = { 38 38 + # User = "nsidtracker"; 39 39 + # ExecStart = "${server}/bin/server"; 40 40 + # Restart = "on-failure"; 41 41 + # RestartSec = 5; 42 42 + # WorkingDirectory = "/mnt/data/nsid-tracker"; 43 43 + # }; 44 44 + # }; 45 45 + 46 46 + services.nginx.virtualHosts."gaze.systems" = { 47 47 + locations."/nsid-tracker/api" = { 48 48 + proxyPass = "http://dusk-devel-mobi:${toString port}/"; 49 49 + proxyWebsockets = true; 50 50 + extraConfig = '' 51 51 + rewrite ^/nsid-tracker/api/(.*) /$1 break; 52 52 + ''; 53 53 + }; 54 54 + locations."/nsid-tracker".return = "301 /nsid-tracker/"; 55 55 + locations."/nsid-tracker/" = { 56 56 + alias = "${client}/"; 57 57 + tryFiles = "$uri $uri/ /index.html"; 58 58 + }; 59 59 + }; 60 60 + }