From 45f8f7d39f06fa6acc03f219d6d90cbf161d8a5d Mon Sep 17 00:00:00 2001
From: Vincent Ambo <mail@tazj.in>
Date: Fri, 3 Jan 2025 19:17:23 +0300
Subject: [PATCH] feat(tvl-headscale): configure tag for TVL builders

Configures an ACL for a tailscale tag that can be added by the `tvl` and
`tvl-builders` users.

This tag will be used by dynamic builders to bootstrap and advertise to other
builders that they might be valid substitution targets.

Relates to b/432.

Change-Id: I561a5b4bfeb7e7b306edfaf18b42404d33d84519
Reviewed-on: https://cl.tvl.fyi/c/depot/+/12948
Reviewed-by: sterni <sternenseemann@systemli.org>
Tested-by: BuildkiteCI
Autosubmit: tazjin <tazjin@tvl.su>
---
 ops/modules/tvl-headscale.nix | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/ops/modules/tvl-headscale.nix b/ops/modules/tvl-headscale.nix
index 6e805e4ac..6d513b09f 100644
--- a/ops/modules/tvl-headscale.nix
+++ b/ops/modules/tvl-headscale.nix
@@ -14,6 +14,12 @@
 #   tailscale up --login-server https://net.tvl.fyi --accept-dns=false
 { config, pkgs, ... }:
 
+let
+  acl = with builtins; toFile "headscale-acl.json" (toJSON {
+    groups."group:builders" = [ "tvl" "tvl-builders" ];
+    tagOwners."tag:builders" = [ "group:builders" ];
+  });
+in
 {
   # TODO(tazjin): run embedded DERP server
   services.headscale = {
@@ -23,6 +29,7 @@
     settings = {
       server_url = "https://net.tvl.fyi";
       dns.magic_dns = false;
+      policy.path = acl;
 
       # TLS is handled by nginx
       tls_cert_path = null;