From c4a1d6f6894b48743d58ea5854cd9eb28a52e83a Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Moritz=20J=C3=B6rg?= <moritz.jorg@oceanbox.io>
Date: Tue, 7 Oct 2025 17:38:46 +0200
Subject: [PATCH] fix(hs): Visualize ACL

---
 attic/policy.hujson | 155 ++++++++++++++++++++++++++++++++++++++++++++
 default.nix         |  48 ++++++++++++++
 2 files changed, 203 insertions(+)
 create mode 100644 attic/policy.hujson
 create mode 100644 default.nix

diff --git a/attic/policy.hujson b/attic/policy.hujson
new file mode 100644
index 00000000..830daad6
--- /dev/null
+++ b/attic/policy.hujson
@@ -0,0 +1,155 @@
+{
+  // groups are collections of users having a common scope. A user can be in multiple groups
+  // groups cannot be composed of groups
+  "groups": {
+    "group:hpc-clusters": [
+      "ekman",
+      "rossby",
+    ],
+    "group:admin": [
+      "jonas.juselius@oceanbox.io",
+      "Moritz.Jorg@oceanbox.io",
+      "simen.kirkvik@oceanbox.io",
+      "stig.r.jensen@oceanbox.io",
+      "system-tos",
+    ],
+    "group:devops": [
+      "jonas.juselius@oceanbox.io",
+      "Moritz.Jorg@oceanbox.io",
+      "stig.r.jensen@oceanbox.io",
+      "radovan.bast@oceanbox.io",
+      "simen.kirkvik@oceanbox.io",
+      "Ole.Tytlandsvik@tromso.serit.no",
+    ],
+    "group:oceanographer": [
+      "frank.gaardsted@oceanbox.io",
+      "ole.anders.nost@oceanbox.io",
+      "helge.avlesen@oceanbox.io",
+      "isa.rosso@oceanbox.io",
+      "jonathan.lilly@oceanbox.io",
+    ],
+    "group:manager": [
+      "svenn.hanssen@oceanbox.io",
+      "hilde.iversen@oceanbox.io",
+    ],
+    "group:dev": [],
+    "group:intern": [],
+  },
+  // tagOwners in tailscale is an association between a TAG and the people allowed to set this TAG on a server.
+  // This is documented [here](https://tailscale.com/kb/1068/acl-tags#defining-a-tag)
+  // and explained [here](https://tailscale.com/blog/rbac-like-it-was-meant-to-be/)
+  "tagOwners": {
+    "tag:k8s": [ "group:admin" ],
+    "tag:hpc": [ "group:admin" ],
+  },
+  // hosts should be defined using its IP addresses and a subnet mask.
+  // to define a single host, use a /32 mask. You cannot use DNS entries here,
+  // as they're prone to be hijacked by replacing their IP addresses.
+  // see https://github.com/tailscale/tailscale/issues/3800 for more information.
+  "hosts": {
+    "ingress.ekman.tos": "10.255.241.99/32",
+    "ingress.ceph.tos": "10.255.241.10/32",
+    "ingress.ceph.vtn": "172.16.239.50/32",
+    "ingress.adm.ceph.vtn": "172.16.239.51/32",
+    "ingress.oceanbox.tos": "10.255.241.11/32",
+    "manage.ekman.tos": "10.255.241.99/32",
+    "k8s.oceanbox.tos": "10.255.241.200/32",
+    "k8s.ekman.tos": "10.255.241.99/32",
+    "k8s.ceph.tos": "10.255.241.29/32",
+    "printer.office.tos": "10.132.46.108/32",
+    "net.office.tos": "10.132.46.0/24",
+    "net.dc.tos": "10.255.241.0/24",
+    "net.ceph.tos": "10.255.244.0/24",
+    "net.mgmt.tos": "10.255.240.0/24",
+    "net.rossby": "172.16.239.0/24",
+    "net.mgmt.rossby": "172.16.238.0/24",
+    "net.k8s.svc": "10.96.0.0/12",
+  },
+  "acls": [
+    {
+      "action": "accept",
+      "src": [
+        "group:admin",
+        "group:devops",
+        "group:oceanographer",
+        "group:manager",
+        "group:dev",
+        "group:hpc-clusters",
+      ],
+      "dst": [
+        "mumindalen:0",
+        "relay-vtn:0",
+        "rossby-manage:22",
+        "rossby:22",
+        "ekman:22",
+        "ekman-manage:22",
+      ]
+    },
+    {
+      "action": "accept",
+      "src": [ "group:hpc-clusters" ],
+      "dst": [
+        "net.dc.tos:*",
+        "net.mgmt.tos:*",
+        "net.ceph.tos:*",
+        "net.office.tos:*",
+        "net.rossby:*",
+        "net.mgmt.rossby:*",
+        "net.dc.tos:*",
+        "net.k8s.svc:*",
+      ]
+    },
+    {
+      "action": "accept",
+      "src": [ "group:admin" ],
+      "dst": [
+         "net.dc.tos:*",
+         "net.mgmt.tos:*",
+         "net.ceph.tos:*",
+         "net.office.tos:*",
+         "net.rossby:*",
+         "net.mgmt.rossby:*",
+         "net.k8s.svc:*",
+      ]
+    },
+    {
+      "action": "accept",
+      "src": [ "group:devops" ],
+      "dst": [
+         "k8s.oceanbox.tos:6443",
+         "k8s.ekman.tos:4443",
+      ]
+    },
+    {
+      "action": "accept",
+      "src": [
+          "group:admin",
+          "group:devops",
+          "group:oceanographer",
+          "group:manager",
+          "group:dev",
+      ],
+      "dst": [
+         "ingress.oceanbox.tos:443",
+         "ingress.ekman.tos:443",
+         "printer.office.tos:631",
+         "10.255.241.99/32:22",
+         "10.255.241.100/32:22",
+      ]
+    },
+    {
+      "action": "accept",
+      "src": [
+          "group:admin",
+          "group:devops",
+          "group:oceanographer",
+          "group:manager",
+          "group:dev",
+      ],
+      "dst": [
+         "100.64.0.1/24:*",
+         "autogroup:internet:*",
+      ]
+    },
+  ]
+}
diff --git a/default.nix b/default.nix
new file mode 100644
index 00000000..31a6d017
--- /dev/null
+++ b/default.nix
@@ -0,0 +1,48 @@
+{
+  sources ? import ./lon.nix,
+  pkgs ? import sources.nixpkgs { },
+}:
+let
+  policy = builtins.toFile "policy.hujson" (builtins.readFile ./attic/policy.hujson);
+  gh = pkgs.fetchFromGitHub {
+    owner = "SimplyMinimal";
+    repo = "tailscale-network-topology-mapper";
+    rev = "v2.0.1";
+    hash = "sha256-55n7CERdI2LPtSLAQJnGuqM27MWjq2Ef1c8uhndX0Qk=";
+  };
+  combinedSrc = pkgs.runCommand "combined-src" { } ''
+    mkdir -p $out
+    cp -r ${gh}/* $out/
+    ls -l $out/
+    rm $out/policy.hujson
+    cp ${policy} $out/policy.hujson
+  '';
+in
+{
+  tailscale-visualizer = pkgs.stdenv.mkDerivation {
+    pname = "tailscale-visualizer";
+    version = "v2.0.1";
+
+    src = combinedSrc;
+
+    nativeBuildInputs = with pkgs.python3Packages; [
+      pyvis
+      hjson
+      pytest
+    ];
+
+    buildPhase = ''
+      ${pkgs.lib.getExe pkgs.python3} main.py
+    '';
+
+    installPhase = ''
+      mkdir -p $out
+      cp network_topology.html $out/
+    '';
+
+    env = ''
+      TS_COMPANY_DOMAIN=obx
+    '';
+
+  };
+}