gensokyo-zone/infrastructure
1
0
Fork 0
mirror of https://github.com/gensokyo-zone/infrastructure.git synced 2026-02-09 04:19:19 -08:00
Code Issues Projects Releases Packages Wiki Activity Actions

chore(minecraft): mounts

Browse source
This commit is contained in:
arcnmx 2024-09-17 12:42:18 -07:00
parent 33b18bc348
commit 75b123776b
15 changed files with 402 additions and 54 deletions
Download patch file Download diff file Expand all files Collapse all files

51
tf/tailscale_devices.tf
View file

@ -1,7 +1,8 @@
locals {
tailscale_tag_infra = "tag:infrastructure"
tailscale_tag_genso = "tag:gensokyo"
tailscale_tag_reisen = "tag:reisen"
tailscale_tag_infra = "tag:infrastructure"
tailscale_tag_genso = "tag:gensokyo"
tailscale_tag_reisen = "tag:reisen"
tailscale_tag_minecraft = "tag:minecraft"
tailscale_tag_arc = "tag:arc"
tailscale_tag_arc_deploy = "tag:arc-deploy"
@ -11,7 +12,14 @@ locals {
tailscale_user_arc = "arc@${var.tailscale_tailnet}"
tailscale_user_kat = "kat@${var.tailscale_tailnet}"
tailscale_group_admin = "autogroup:admin"
tailscale_group_member = "autogroup:member"
tailscale_group_admin = "autogroup:admin"
tailscale_tags_genso = [local.tailscale_tag_infra, local.tailscale_tag_genso]
tailscale_tags_reisen = concat(local.tailscale_tags_genso, [local.tailscale_tag_reisen])
tailscale_tags_arc = [local.tailscale_user_arc, local.tailscale_tag_arc]
tailscale_tags_kat = [local.tailscale_user_kat, local.tailscale_tag_kat]
tailscale_tags_peeps = concat(local.tailscale_tags_arc, local.tailscale_tags_kat)
}
resource "tailscale_acl" "tailnet" {
@ -20,6 +28,7 @@ resource "tailscale_acl" "tailnet" {
"${local.tailscale_tag_infra}" : [local.tailscale_group_admin],
"${local.tailscale_tag_reisen}" : [local.tailscale_group_admin, local.tailscale_tag_infra],
"${local.tailscale_tag_genso}" : [local.tailscale_group_admin, local.tailscale_tag_arc_deploy, local.tailscale_tag_kat_deploy],
"${local.tailscale_tag_minecraft}" : [local.tailscale_group_admin, local.tailscale_tag_infra],
"${local.tailscale_tag_arc}" : [local.tailscale_user_arc, local.tailscale_tag_arc_deploy],
"${local.tailscale_tag_arc_deploy}" : [local.tailscale_user_arc],
"${local.tailscale_tag_kat}" : [local.tailscale_user_kat, local.tailscale_tag_kat_deploy],
@ -27,10 +36,34 @@ resource "tailscale_acl" "tailnet" {
}
acls = [
{
# Allow all connections
action = "accept"
src = [local.tailscale_group_admin]
dst = ["*:*"]
},
{
action = "accept"
src = [local.tailscale_tag_reisen]
dst = ["${local.tailscale_tag_reisen}:*"]
},
{
action = "accept"
src = concat([local.tailscale_tag_genso], local.tailscale_tags_peeps)
dst = [
"${local.tailscale_tag_genso}:*",
]
},
{
action = "accept"
src = ["*"]
dst = ["*:*"]
dst = [
"autogroup:self:*",
"${local.tailscale_tag_minecraft}:19132,19133,25565",
]
},
{
action = "accept"
src = [local.tailscale_group_member]
dst = ["autogroup:internet:*"]
},
]
# Define users and devices that can use Tailscale SSH.
@ -38,7 +71,7 @@ resource "tailscale_acl" "tailnet" {
# Allow all users to SSH into their own devices in check mode.
{
action = "check",
src = ["autogroup:member"],
src = [local.tailscale_group_member],
dst = ["autogroup:self"],
users = ["autogroup:nonroot", "root"],
},
@ -51,7 +84,7 @@ resource "tailscale_tailnet_key" "reisen" {
ephemeral = false
preauthorized = true
description = "Reisen VM"
tags = [local.tailscale_tag_infra, local.tailscale_tag_genso, local.tailscale_tag_reisen]
tags = local.tailscale_tags_reisen
depends_on = [tailscale_acl.tailnet]
}
@ -60,7 +93,7 @@ resource "tailscale_tailnet_key" "gensokyo" {
ephemeral = false
preauthorized = true
description = "Reisen VM"
tags = [local.tailscale_tag_infra, local.tailscale_tag_genso]
tags = local.tailscale_tags_genso
depends_on = [tailscale_acl.tailnet]
}