feat(tf): tailscale

2026-02-09 04:19:19 -08:00 · 2024-09-05 12:48:47 -07:00 · 2024-09-05 12:48:47 -07:00 · a618279fed
commit a618279fed
parent ff688fb97a
10 changed files with 111 additions and 22 deletions
--- a/tf/.terraform.lock.hcl
+++ b/tf/.terraform.lock.hcl
@ -87,6 +87,28 @@ provider "registry.terraform.io/hashicorp/tls" {
  ]
 }

+provider "registry.terraform.io/tailscale/tailscale" {
+  version     = "0.16.2"
+  constraints = ">= 0.16.2"
+  hashes = [
+    "h1:m8r5+K4JWe+tdT4IyryZkAQ7d38GVPtoQ9mzp+5Scaw=",
+    "zh:2a37ef43b88ad8e26ecad79e6b34a896769be2b7d18140f855f6063775367841",
+    "zh:3867d3331b59c8281dd8a742260b22e18750ae84a9bd2009e8f9d90412d2c044",
+    "zh:5e5e5ee08e0ecefa08a0ce7a9281a858f9b3a2a66bc9c06802b1624a1cb3eae0",
+    "zh:6298e8ed55bccd5513060e0d357d055919b3a22146fcfb6c34881efd49ec33f8",
+    "zh:6ce0ab6564fbbc673ab98ce4b7db7d64258a916394436a005d14b25c3ea58ad1",
+    "zh:6fdc1fb66074d2af5124a6988f81efdc77011b185e710629140e87ffb8624956",
+    "zh:7ff7888d77a17b18c9bdc9dfc1bf1e7f98f512410c29d1a8c2e6c21c8fe2a5c4",
+    "zh:9cafb8660daffd5c9c490d4529c7ba3d691fee5e4093b55e73f188b17e34cead",
+    "zh:b11e0e1b6c8485eb832336a69be02dfae151b71350e25288ec7bf0637df35485",
+    "zh:c7371d0dcde253fcd1808f86be2fcfc6e0b6ec82aa714e5dc6b533ba10007d48",
+    "zh:dcddd847b8a03a3b7c9288d68e781d65a3b911ef9cc96df9502a2d069195ae42",
+    "zh:dfd37ec661fe5b1520b595dcb93cca65f716270edc173a393a600c85b3f842d7",
+    "zh:e3b623167859344ed93f4125e97d24c5793246ccb329e4d82b2d9d8e5c356380",
+    "zh:f4d38ec08191ae70ef05ffd3943df1c27e2b11192a02e1979498a59ea1881ee3",
+  ]
+}
+
 provider "registry.terraform.io/vancluever/acme" {
  version     = "2.26.0"
  constraints = "~> 2.0"
--- a/tf/tailscale_devices.tf
+++ b/tf/tailscale_devices.tf
@ -0,0 +1,40 @@
+resource "tailscale_acl" "tailnet" {
+  acl = jsonencode({
+    tagOwners = {
+      "tag:reisen" : ["autogroup:admin"],
+      "tag:gensokyo" : ["autogroup:admin"],
+    }
+    acls = [
+      {
+        # Allow all connections
+        action = "accept"
+        src    = ["*"]
+        dst    = ["*:*"]
+      },
+    ]
+    # Define users and devices that can use Tailscale SSH.
+    ssh = [
+      # Allow all users to SSH into their own devices in check mode.
+      {
+        action = "check",
+        src    = ["autogroup:member"],
+        dst    = ["autogroup:self"],
+        users  = ["autogroup:nonroot", "root"],
+      },
+    ],
+  })
+}
+
+resource "tailscale_tailnet_key" "reisen" {
+  reusable      = true
+  ephemeral     = false
+  preauthorized = true
+  description   = "Reisen VM"
+  tags          = ["tag:gensokyo", "tag:reisen"]
+  depends_on    = [tailscale_acl.tailnet]
+}
+
+output "tailscale_key_reisen" {
+  value     = tailscale_tailnet_key.reisen.key
+  sensitive = true
+}
--- a/tf/tailscale_provider.tf
+++ b/tf/tailscale_provider.tf
@ -0,0 +1,21 @@
+variable "tailscale_oauth_client_id" {
+  type      = string
+  sensitive = false
+}
+
+variable "tailscale_oauth_client_secret" {
+  type      = string
+  sensitive = true
+}
+
+variable "tailscale_tailnet" {
+  type      = string
+  sensitive = false
+  default   = "gensokyo.zone"
+}
+
+provider "tailscale" {
+  oauth_client_id     = var.tailscale_oauth_client_id
+  oauth_client_secret = var.tailscale_oauth_client_secret
+  tailnet             = var.tailscale_tailnet
+}
--- a/tf/terraform.tf
+++ b/tf/terraform.tf
@ -18,6 +18,10 @@ terraform {
      source  = "hashicorp/random"
      version = ">= 3.6.0"
    }
+    tailscale = {
+      source  = "tailscale/tailscale"
+      version = ">= 0.16.2"
+    }
    tls = {
      source  = "hashicorp/tls"
      version = ">= 4.0.5"
--- a/tf/terraform.tfvars.sops
+++ b/tf/terraform.tfvars.sops
@ -1,5 +1,5 @@
 {
-	"data": "ENC[AES256_GCM,data:iYpHoTiF+5qNkJ/ZHU37H3fqSIYgaqJnz+LVqcUhbmDpfKLngXeXV3dBqwk6ilBxVyRJ33v+ZbfeatLByk9v6JL3YmfKe/f/w+EBWEbKVy0qXb2lOHOCGMm3PFe+FP7DLb9deAWTi8S4FMGAa41xufbVIM+kOjQXwL3JH35dbgyyaqhmXknX4p800rt/T4TWo4NTfkRrR9G1/J+EaqeO0qRIJk2Vu/mqeXtbtyY13MrFCri1qw7FcvNwseFKWjzCCclfI2X+juNCxfYdXqjACmXyFMq0J3oYKHofMrts64+B4E5RjQb3j2FoCMNIAsKAGOoMEHQtWhiDEMPG3/yRIBoQ7TFFte5C6rN5O6fDTMel3q1vUHsazdrDX6nZ9HoV7H9GHlGApOqQ3AF4Zh7SMT6cN7hQ1G846o3igJ4UvX2J+q0Y8y3+Kl7JHo7axvRxEQ3h0jrj8KP8F4RpZqf07kDgfPyd2sZW1f1BMc3zHbyupWOfp7iGd2mRSdp5LRd7QCsryaX1e/P63NhqKfckScG85GEEGIsPRymeEmBLrhyUkTRr0t8I5fACdURbsRYYMVdd2Sy12DXJ8WfJQYunVJmIBkC2D8ZLy1+BGyuUpHFcOMEYmg6zHor32ghnEYVntp/XrwjOxBdeo7T8ntExbRNqAHqhFE1HT72cwCDWHt6EUtArOL4/BEzmkq43lgo1VuKrW2QjZDmFTTd8WlaAoVoZtJphY4RWkvJjjNmaGv+UiProVYFGRyg7hIHiwj+jP49WGEq5enONR6mnws3cog9pkRjH6IZrUIqcU4Aqmee1NU78KjM4G9q03/T+0P3YqP1VxGe39SBK6z7L6VQFVKU7Tl4kK4A6lWu4o1Q/HxBMFGZ/zVrx+kuPPVirHXy7F7TXFT4LghTi75Ve4ZCYdUrFvphVojS+XraUKEHWpO0urxR+4Gpd5BwBmbB+llLoOBkwbAwcdx+oi/qYm22entZsqLNi9oq6FvWc/AJIQ+Aya1ejMP1Ec2UYbIPDCR9RnGCQO4dOw3Mp+H6yByFvBWJuukvnv09mJQVLALrD35kJwdYfWPo5G14+ASDZIrvpWlm0Dk9LhWF/LPqPLvik0srtEoT+pZkLU9qE+i0bgvTXJqgYkyn/Exgi6XOy3zhVQ9zHDO/jiUa50KwxE+/g9WedfB00YRx2rndTs455K2eCUtxRJObl/eBkbyBes9bU6zIu3GuQshgt6h9UxgwK+73ofF293zKFpgHLgFATqMN/8rLH5rODxcPNY3VwTLIlmYtDo4otvKRWm0MPxBflbBun3fe6D6uoYqVJetjEypmU6XpqT89WUxah4NFpvEjXf5FTyoDPrb8O1oDGPMgbwbFh2W22z34A6T52lUg5nJzatlUPXweGY1NMGcPO8Z7Pv7yJMdcBidaxFRsLzKePkoOmUk1zW/cdtrjugURuy2958pp2CRfOQs0/XnPu+WWWwaSoWzI8ZgBMxuCWxtoJRusIHi1hfDw7T9gnvr9+TQsD4/nXeB4td1aFvggUAqsf/2Ahe7UvcJPM7nfgcymnpqwbfWHtWqkqjI4sJnKEAlxaDe2Xx/dC3eI8VWsZFJnepDSeA8TufJObK5TtYaCe+htLM5/4mCphRsb73DHdnlQ7PIG872kdrCapnA54SnDKBC8Z+t1W7LoWUTrQ752Nr3M0DRu5RfqTigyJ5zMMuOfXjVSJ1dy0xUp7Tn4JhkjpNX9DAOPMmvB19mA0lLF9hunfpT96lBf1grxo6x2oagqvg4N9a7+Bha8aQ5QtLB7maBLTOGbCI9zL0SYU+8qI+BHGZIndKSkLWc6XmcLMWyvypDC7XcjRVqFXMiYAFhPaFgPEjz31xycYYFvGa7mC0sV4OISEvdxoXE34IMfeI+Wf5wjURsWSkJ8Kub4pH3LjifX2gkWazQjsB9Ry0uLuCJbH+j9oOfrfz0xmFFVikkQSalLdWFqPg8UOJZMt/heO7w3MUE1RNXlV8k1m5d4lKTsLfcCgGF+NE3rC9oTIJgA0gTjOb/DImkE7MTFsMqJ+TesaFeYNx1Ll8T3P5zAuK+YGN2BNKOMD4oM5Qt3zfnDraL7i3ITJ39WvArjobBVKcMUg+h0uwD7NFo0up4fo7pOmy1KTYEjNZcOGKPHMZ8pli/ZM2+yiJ928Kdu7Bwe/MnmVA6xBFyjNRXcNWcDt6p6M+6NY9gr8sANVOj6Eb905ExC6XmgxOOW06K8Y81zYt+ggEna9QG1WwPpSxRQgtMlgada5DGy0ivHyrIuvSYCgtwiX3tc67ZCjQ0/7S2F7FxqQztfpO8x3FRMvr6DxCTSZmtyySClCqa+JZET5xO8bxkHGPnh/Pm97qy5085t6ablBKw==,iv:r/r8/D765tpIYa+qltuLohs/GtU3I6/P3qslXkbnCgE=,tag:ump5hDeTECGJWYkuPENAvQ==,type:str]",
+	"data": "ENC[AES256_GCM,data:yZ99iHyMHnnrJRG1CyImpe2VjmLWUKEPRjlmRWiPkrU3e+ynEFJbYvUl5jgCY1cpgEetEoMh9YC/H/dcBQ2/DXyXWKcttI1mmuWZlgZ4US0YLh9ul3TLITVwgBgHl2Ngr2d1M7b5YB0aBVTmwVTCWDYOROFYIaPD/PFK51fvcb2Li9CTbcdo9t+6f22cqqkMpaSDcxpSwGvoeraaYTip6er4SGPbTEA7jMITpTm3ofK5w2ji5zXIM9Etyt9SNJsjXf11IqwZjcAaUuEfIhrMcH2gOHSH52jcvJNeZkwVLTHBhU1CTfuXqoWwe36cSN5rDXCHnOhKZZ8CrXPU3i8/QYRAfhD2WA2Uw0XosLMBzQy7RVr+9L9Qo2H04HTTGZNKyNlDHNUH/l+twi9L8Zy1VreZ4gOmCze5irIbg334DT9OyLaqNZbAXUlcJQEb9rPIgr6ZLyJWvvl8AgV+HyVU4bGzD4pbKV3Nw/d4erF3RZohk6Zj6t5eZPFcwig4w9NiTHU8dOHmZMvPtk2HS+KOMzZGWIZdN5G4p57jTGY69W6QVIQGZ6sEIOPs1YePNAlbI3FEEV4dr7aCTHzoZAEy5+gknpcF/ruCRj+M8b5pDUbiDZ7v0W/PFiDq8mcZC4+fWDWGuLoT40nSTvcm4136+LczKsuN5VIDdEun1PFu0M58JwXDZRjOag5gdy+/Uw2t79eMkoAFDfTyuxtc2UkPpIKWoAnpjYncp0p+pYNSjRHkAwEgVfcC3UF2LUM6FiNsPZwNQfyvFxdFOY4YSpw033RU+4pdVd/kNJBbayeopTHwLd+nxTRc59k1cyA39yYJIV/H7pyw2Bs2gNHgT+A4RhU4Cl2FEWT7bUeo18/DjaJg5vmeEb8JMnew7cz9+GJa3UjBQuH76rTewj0Zl0n5akJjImnJ6argVR9uRgs813wKNRrsEo7avrNreB7mMP3vtjiAru/X03QgOtRywittDLRTOQLxiAd3h7hgV96V5DWHqBwwduPUAX98f35qskG4eVX74EvGfXepA54odYYojCmjGshRNboKddEOASqRjp7e0K5TA4xYt7VvOINA4ev84vemqZ09TfsSiD0I8ieou22NsiHyVoKpDqh6OaNCOzJ8pVz/X2fJUCiGgm40rqjxVfEtScQuwnk+2VrHtERWlv3tlvp8BbU2OfMSYPRZkib+6wxi4XE1WIsnmQS5u2kDi80WZSpR/xQ/sKSVmlYfVMqDqBzHTsd83lzmgsD4F1PqhR5JD+EsfEFRK++hxMc0NfNp4MT+Pdb2wgmFve7STf+dEw2AkTbhj9A6A5AT1WDmBL21WeJ4RxP+rFiyNGVM1mNfyq1/fVwlcdAQwq9P8Irtq7Uevo6mlkRd2jQ4tU0wfhqB0qDjFJtptBUD3kluq8igvNq/UEm8xc9o4aAnXyPmDVVPmqWy+HJUjMazD2edujAOBJy07bFTEWQQHbLyJEfNPJVAwHp4uh8/RVHBId41BFj679WWETkoLyYDwG+GiBBaEcW+KRcLQWcAcBHaeajnDcfPePYf+Q33dvXO4uJA0TnmxYSPGb7eEwhLpTDbgm4xVrcb4iop+8CXZeYr/zVaGHcJWNeze4/FoPjk3LLwTEFWATLC51Tguvycn3E7vrvvXbLlGUFY+4twH8VfwCh0hdjmng082L5/k7xq0IvTkO79ed3F0At8ntA0RS5w4w3t29lrpeSrOwc9INCoQ4d708vfYnaqtkqUFYpuGA34+sr6LygGGxnDb7PwgWXSoGGd7g2s4+h4WtDCNxjHsjo5sarSyWX+OS3p274e3K5qWUB7MRcv4zQ98RsBMT3tJBTHf6sRHMU3ELrZYFzJU566vjY3ysV7YMqKNdeQ17Xtijkf0NeTCyj9ViICV8EmlGvyYTnwWPZekTOekDHTj6sywf9lxgs9AddgUFvBXT9A+FZnGQDEoIyLfNLNJteR6UWqHfCHpo1hi4TwZe/9CYHwDQy+ZYyc7HeutHDDwggb4z/nh+VBSv+Ty0ZUQcx0n8xAeE0LXGfulE4m+peVCFIZlKewyS6o0nrdfwC3AfRuGHjQ2f5JtrpmoiY1d8r5hqwSeBnq9y1UYYAgvUrwj50CBbAuSE5t3yohoKXUWJ6MFh6XSzY5ZYCfYRzv5TOsBaWo6G+so0Ju1EgEv1A/Tbxse/r5+UeHF/9nGkBRkJ0g4UAZSn0/l86sFIOY7UsAnWM93+As+fcgL7h8eJ5aszRF3iHIE5L7b23LPXRSkttQkW6YanSSds8OYb0sgTsMBD0PT2spJNquiRW/DnuVlZvK7gsgChplhiyzTUBCTvgzNvpUimCti6/Dd3/5zOcOAa1+6F+xxpC2QxgFT/Nde1RnpJuNz+H9jehS9WvqKBnfOpSQHXC3+VzNoKSpMturU/2bQ4OHO/ApvzELDqbneBXZOkCpEPkgxWNisjTsZKUdsHRxrrH8AGgj3jzEIqwtEZAY3ThZ8AEvI2refcFM3Y8EBWjftnmebHNIvPSQtwm60t1E3EHZKAUm5LjMobqoLrpXdYV96nQwjy9c72MRqgwFuxP0,iv:1J+7Bz7U/O0koWhjDh5zWtGoL8nXATSc+DnyUxQzJXA=,tag:ot3RxgLj+TakFdA7t6Gfzw==,type:str]",
 	"sops": {
 		"shamir_threshold": 1,
 		"kms": null,
@ -7,8 +7,8 @@
 		"azure_kv": null,
 		"hc_vault": null,
 		"age": null,
-		"lastmodified": "2024-03-21T15:14:28Z",
-		"mac": "ENC[AES256_GCM,data:kFloPwB/TeHMMk1VYcQkHf2wDFrUr0zcvP8u39wNcXFDWilMqzW9W+/vlpfvR3qbSWwlN7tpippwBNY+pu6/ZaA2JZP7DUczA3xpFn+BUljiX4JV/+YAz1KwZT4VA4EimAMWr90sHSMKKxp7AjqiNqhirajxjfgspBluQkKCH8Q=,iv:sY35Kef/MGwl9SrZs+pdXziQCHX27MsBaRt4q7Cb9Fg=,tag:pPWqSaZlzOro1P1fmUSVxw==,type:str]",
+		"lastmodified": "2024-09-05T20:26:36Z",
+		"mac": "ENC[AES256_GCM,data:xZPZX1+Qs8kCfiivQN1fXJsMJxOTF6kDEYeAjomjgnhp6LYLev5cmn50Bs70U7VZCd5LCm+RlHbbWH85Ju3gWYb543y5X6dRcfhZTM7zA0HKwP0GHJBS2DPqDRo+GFMOXNv9ypIgEpcciQ8y6XxQa5aBSv98tZj2ME15n4+RwP4=,iv:r48PeNiDVaMx/h4OfsxRJXDZCn5eoHebXgak0RcYkx4=,tag:F1NgmNs+CWr7lHiunK7lMg==,type:str]",
 		"pgp": [
 			{
 				"created_at": "2024-01-14T19:49:29Z",
@ -22,6 +22,6 @@
 			}
 		],
 		"unencrypted_suffix": "_unencrypted",
-		"version": "3.8.1"
+		"version": "3.9.0"
 	}
 }