fixed urls for mediaservers and added dockhand

ironicbadger · ironicbadger · commit 4fcfc5026164 · 2026-02-17T21:43:53.000-05:00
diff --git a/.github/workflows/tailscale.yml b/.github/workflows/tailscale.yml
@@ -0,0 +1,37 @@
+name: Sync Tailscale ACLs
+
+on:
+  push:
+    branches: ["main"]
+  pull_request:
+    branches: ["main"]
+
+jobs:
+  acls:
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Validate HuJSON
+        run: python3 tailscale/validate-acl.py tailscale/acl.hujson
+
+      - name: Deploy ACL
+        if: github.event_name == 'push'
+        id: deploy-acl
+        uses: tailscale/gitops-acl-action@v1
+        with:
+          api-key: ${{ secrets.TS_API_KEY }}
+          tailnet: ${{ secrets.TS_TAILNET }}
+          action: apply
+          policy-file: tailscale/acl.hujson
+
+      - name: Test ACL
+        if: github.event_name == 'pull_request'
+        id: test-acl
+        uses: tailscale/gitops-acl-action@v1
+        with:
+          api-key: ${{ secrets.TS_API_KEY }}
+          tailnet: ${{ secrets.TS_TAILNET }}
+          action: test
+          policy-file: tailscale/acl.hujson
diff --git a/services/c137/01-infra/compose.yaml b/services/c137/01-infra/compose.yaml
@@ -31,6 +31,16 @@ services:
       - --certificatesresolvers.cloudflare.acme.storage=/letsencrypt/acme.json
       - --serversTransport.insecureSkipVerify=true
     restart: unless-stopped
+  dockhand:
+    image: fnsys/dockhand:latest
+    container_name: dockhand
+    labels:
+      - traefik.enable=true
+      - "traefik.http.routers.dockhand.rule=Host(`dockhand.{{ m_wd_domain_me }}`)"
+    volumes:
+      - /var/run/docker.sock:/var/run/docker.sock
+      - "{{ appdata_path }}/apps/dockhand:/app/data"
+    restart: unless-stopped
   # copyparty:
   #   image: copyparty/ac:latest
   #   container_name: copyparty
diff --git a/services/c137/02-mediaservers/compose.yaml b/services/c137/02-mediaservers/compose.yaml
@@ -66,7 +66,7 @@ services:
       - "/mnt/rust/media/music/library:/music:ro"
     labels:
       - traefik.enable=true
-      - "traefik.http.routers.navidrome.rule=Host(`navidrome.m.wd.ktz.me`)"
+      - "traefik.http.routers.navidrome.rule=Host(`navidrome.{{ m_wd_domain_me }}`)"
       - traefik.http.services.navidrome.loadbalancer.server.port=4533
     environment:
       - ND_MUSICFOLDER=/music
@@ -79,7 +79,7 @@ services:
     container_name: cwa
     labels:
       - traefik.enable=true
-      - "traefik.http.routers.cwa.rule=Host(`cwa.m.wd.ktz.me`)"
+      - "traefik.http.routers.cwa.rule=Host(`cwa.{{ m_wd_domain_me }}`)"
       - traefik.http.routers.cwa.entrypoints=websecure
       - traefik.http.routers.cwa.tls=true
       - traefik.http.services.cwa.loadbalancer.server.port=8083
diff --git a/tailscale/acl.hujson b/tailscale/acl.hujson
@@ -0,0 +1,201 @@
+{
+  // Tailscale ACLs (GitOps-managed).
+  "randomizeClientPort": true, // for OPNsense
+
+  "tagOwners": {
+    // Site tags
+    "tag:norfolk": [],
+
+    // Role/service tags
+    "tag:server": [],
+    "tag:ssh": [],
+    "tag:idp": [],
+    "tag:connector-uk": [],
+    "tag:connector-github": [],
+    "tag:container": [],
+
+    // K8s tags (owned by the operator tag)
+    "tag:k8s-operator": ["tag:k8s-operator"],
+    "tag:k8s": ["tag:k8s-operator"],
+    "tag:k8s-m720q": ["tag:k8s-operator"],
+    "tag:k8s-funnel": ["tag:k8s-operator"]
+  },
+
+  "groups": {
+    // User-based grouping for client devices (exit-node access).
+    "group:alex": ["alexktz@gmail.com"]
+  },
+
+  "hosts": {
+    // Godmode workstations (explicit device ownership, no tags).
+    "baldrick": "100.67.48.126",
+    "magrathea": "100.95.89.118",
+    "alexs-mac-studio": "100.92.189.64",
+    "alexs-macbook-pro14": "100.82.236.9",
+    "mooncake": "100.80.82.66"
+  },
+
+  "ssh": [
+    {
+      "action": "accept",
+      // Keep this list in sync with hosts above.
+      "src": [
+        "baldrick",
+        "magrathea",
+        "alexs-mac-studio",
+        "alexs-macbook-pro14",
+        "mooncake"
+      ],
+      "dst": ["tag:ssh", "autogroup:self"],
+      "users": ["root", "autogroup:nonroot"]
+    }
+  ],
+
+  "nodeAttrs": [
+    {
+      "target": ["tag:k8s-funnel"],
+      "attr": ["funnel"]
+    },
+    {
+      "target": ["tag:idp"],
+      "attr": ["funnel"]
+    },
+    {
+      "target": ["autogroup:member"],
+      "attr": ["funnel"]
+    },
+    {
+      "target": ["autogroup:member"],
+      "attr": ["drive:share", "drive:access"]
+    },
+    {
+      "target": ["*"],
+      "app": {
+        "tailscale.com/app-connectors": [
+          {
+            "name": "bbc",
+            "connectors": ["tag:connector-uk"],
+            "domains": ["*.bbc.com", "*.bbc.co.uk", "*.bbci.co.uk"]
+          },
+          {
+            "name": "github",
+            "connectors": ["tag:connector-github"],
+            "presetAppID": "github"
+          }
+        ]
+      }
+    }
+  ],
+
+  "grants": [
+    {
+      // Godmode workstations
+      "src": [
+        "baldrick",
+        "magrathea",
+        "alexs-mac-studio",
+        "alexs-macbook-pro14",
+        "mooncake"
+      ],
+      "dst": ["*"],
+      "ip": ["*"]
+    },
+    {
+      // Servers can access each other
+      "src": ["tag:server"],
+      "dst": ["tag:server"],
+      "ip": ["*"]
+    },
+    {
+      // Allow your user-owned devices to use exit nodes.
+      "src": ["group:alex"],
+      "dst": ["autogroup:internet"],
+      "ip": ["*"]
+    },
+    {
+      // RDU subnets
+      "src": [
+        "baldrick",
+        "magrathea",
+        "alexs-mac-studio",
+        "alexs-macbook-pro14",
+        "mooncake"
+      ],
+      "dst": ["10.42.0.0/21"],
+      "ip": ["*"]
+    },
+    {
+      // NR subnets
+      "src": [
+        "baldrick",
+        "magrathea",
+        "alexs-mac-studio",
+        "alexs-macbook-pro14",
+        "mooncake"
+      ],
+      "dst": ["192.168.16.0/24"],
+      "ip": ["*"]
+    },
+    {
+      // Default DNS for tailnet nodes
+      "src": ["*"],
+      "dst": ["10.42.0.253"],
+      "ip": ["udp:53"]
+    },
+    {
+      "src": ["autogroup:shared"],
+      "dst": ["*"],
+      "ip": ["*"]
+    },
+    {
+      // K8s API server access
+      "src": ["*"],
+      "dst": ["tag:k8s-operator"],
+      "ip": ["tcp:443"]
+    },
+    {
+      "src": ["autogroup:member"],
+      "dst": ["tag:k8s-operator"],
+      "app": {
+        "tailscale.com/cap/kubernetes": [
+          {
+            "impersonate": {
+              "groups": ["system:masters"]
+            }
+          }
+        ]
+      }
+    },
+    {
+      "src": ["*"],
+      "dst": ["tag:idp"],
+      "ip": ["*"]
+    },
+    {
+      "src": ["*"],
+      "dst": ["tag:idp"],
+      "app": {
+        "tailscale.com/cap/tsidp": [
+          {
+            "allow_admin_ui": true,
+            "allow_dcr": true,
+            "includeInUserInfo": true,
+            "users": ["*"],
+            "resources": ["*"]
+          }
+        ]
+      }
+    }
+  ],
+
+  "autoApprovers": {
+    "routes": {
+      "0.0.0.0/0": ["tag:connector-uk"],
+      "::/0": ["tag:connector-uk"]
+    },
+    "services": {
+      "tag:k8s": ["tag:k8s"],
+      "tag:k8s-operator": ["tag:k8s-operator"]
+    }
+  }
+}
diff --git a/tailscale/cleanup-tags.sh b/tailscale/cleanup-tags.sh
@@ -0,0 +1,94 @@
+#!/usr/bin/env bash
+set -uo pipefail
+
+TAILSCALE_API_KEY="${TAILSCALE_API_KEY:-}"
+TAILNET="${TAILNET:-}"
+DRY_RUN="${DRY_RUN:-1}"
+
+if [[ -z "$TAILSCALE_API_KEY" ]]; then
+  echo "TAILSCALE_API_KEY is required." >&2
+  exit 1
+fi
+
+if [[ -z "$TAILNET" ]]; then
+  if command -v tailscale >/dev/null 2>&1; then
+    TAILNET="$(tailscale status --json | jq -r '.CurrentTailnet.MagicDNSSuffix // empty')"
+  fi
+fi
+
+if [[ -z "$TAILNET" ]]; then
+  echo "TAILNET is required (example: ktz.ts.net)." >&2
+  exit 1
+fi
+
+REMOVE_TAGS=(
+  "tag:rdu"
+  "tag:rdu-px"
+  "tag:rdu-sr"
+  "tag:norfolk-sr"
+  "tag:ca-ont"
+  "tag:cloud"
+  "tag:zfs-replication"
+  "tag:family-share"
+  "tag:exitnode"
+  "tag:use-exitnode"
+)
+
+remove_json="$(printf '%s\n' "${REMOVE_TAGS[@]}" | jq -R . | jq -s .)"
+
+devices_json="$(curl -fsS -u "${TAILSCALE_API_KEY}:" \
+  "https://api.tailscale.com/api/v2/tailnet/${TAILNET}/devices")"
+
+updates="$(
+  echo "$devices_json" | jq -r --argjson remove "$remove_json" '
+    .devices[]
+    | {id, name, tags: (.tags // [])}
+    | . as $d
+    | ($d.tags - $remove) as $newtags
+    | select(($d.tags|length) != ($newtags|length))
+    | {id: $d.id, name: $d.name, tags: $newtags}
+    | @base64
+  '
+)"
+
+if [[ -z "$updates" ]]; then
+  echo "No devices found with removable tags."
+  exit 0
+fi
+
+echo "Tailnet: $TAILNET"
+echo "Remove tags: ${REMOVE_TAGS[*]}"
+echo ""
+
+while read -r row; do
+  obj="$(echo "$row" | base64 --decode)"
+  id="$(echo "$obj" | jq -r '.id')"
+  name="$(echo "$obj" | jq -r '.name')"
+  tags="$(echo "$obj" | jq -c '.tags')"
+
+  if [[ "$DRY_RUN" != "0" ]]; then
+    echo "DRY RUN: $name ($id) -> $tags"
+    continue
+  fi
+
+  resp_file="$(mktemp)"
+  http_code="$(
+    curl -sS -u "${TAILSCALE_API_KEY}:" \
+      -H "Content-Type: application/json" \
+      -d "{\"tags\":$tags}" \
+      -o "$resp_file" \
+      -w "%{http_code}" \
+      "https://api.tailscale.com/api/v2/device/${id}/tags" || true
+  )"
+
+  if [[ "$http_code" == "200" || "$http_code" == "204" ]]; then
+    echo "Updated: $name ($id)"
+  else
+    echo "ERROR: $name ($id) -> HTTP $http_code" >&2
+    if [[ -s "$resp_file" ]]; then
+      echo "Response: $(cat "$resp_file")" >&2
+    fi
+  fi
+
+  rm -f "$resp_file"
+done <<< "$updates"
diff --git a/tailscale/validate-acl.py b/tailscale/validate-acl.py
