- Go 100%
| internal/config | configuration from environment | |
| .gitignore | add goreleaser configuration | |
| .goreleaser.yaml | add goreleaser configuration | |
| go.mod | update dependencies | |
| go.sum | update dependencies | |
| LICENSE | Create LICENSE | |
| main.go | more descriptive variable names | |
| README.md | add instructions for OAuth + 1Password | |
Tailscale ACL client
Extremely rudimentary command-line client to preview and commit changes to Tailscale's ACLs.
Configuration
To use an API key (which must have an expiration date), create a configuration file like this:
api_key:"tskey-api-XXXXYYYZZZ"tailnet:"example.github"and use the -config <filename> command-line flag.
To use an OAuth token, see the next section.
OAuth + 1Password
Install direnv and 1Password CLI (the op command).
Create an OAuth token in Tailscale. The scope must include read and write permissions for the Policy File. Then, write the "Client ID" and "Client Secret" in a 1Password entry.
In the directory where you keep your version-controlled policy file, create .envrc:
export TAILSCALE_TAILNET="12345ABCDEF"
export TAILSCALE_OAUTH_CLIENT_ID="op://Private/XXXXYYYYZZZxxxyyyzzz/client_id"
export TAILSCALE_OAUTH_CLIENT_SECRET="op://Private/XXXXYYYYZZZxxxyyyzzz/client_secret"
Allow direnv to read this file by running direnv allow.
Now, from within this directory, you can run tailscale-acl with op to interact with your
Tailscale policy:
$ op run -- tailscale-acl -preview policy.hujson
$ op run -- tailscale-acl -commit policy.hujson
The advantage of using an OAuth token is that it does not need to have an expiration date.