headscale ssh acl

hosts/m3-ares/services/tailscale.nix

@@ -6,6 +6,7 @@
     extraUpFlags = [
       "--login-server=https://va.m3tam3re.com"
       "--accept-routes"
+      "--ssh"
     ];
   };
 }

hosts/m3-atlas/services/headscale.nix

@@ -36,7 +36,21 @@
           dst = ["${adminUser}:*"];
         }
       ];
-
+      # Tailscale SSH rules
+      ssh = [
+        {
+          action = "accept";
+          src = ["${adminUser}"];
+          dst = ["*"];
+          users = ["*"];
+        }
+        {
+          action = "accept";
+          src = ["group:admins"];
+          dst = ["*"];
+          users = ["*"];
+        }
+      ];
       # Auto-approvers section for routes
       autoApprovers = {
         routes = {
@@ -60,7 +74,7 @@
     services = {
       headscale = {
         enable = true;
-        adminUser = "m3tam3re@m3ta.loc";
+        adminUser = "m3tam3re";
         port = 3009;
         settings = {
           server_url = "https://va.m3tam3re.com";

hosts/m3-atlas/services/tailscale.nix

@@ -12,6 +12,7 @@
       "--login-server=${config.services.headscale.settings.server_url}"
       "--advertise-exit-node"
       "--accept-routes"
+      "--ssh"
     ];
   };
   services.networkd-dispatcher = lib.mkIf config.services.tailscale.enable {