Skip to content

WalterHub/gitops-acl-action

BranchesTags
 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

3 Commits
Dockerfile
Dockerfile
 
 
README.md
README.md
 
 
action.yml
action.yml
 
 
entrypoint.sh
entrypoint.sh
 
 

Repository files navigation

GitHub Action for Tailscale ACLs

This GitHub action lets you manage your Tailscale ACL rules using a GitOps workflow. With this GitHub action you can automatically manage your Tailscale ACLs using a git repository as your source of truth.

Inputs

tailnet

Required The name of your tailnet. You can find it by opening the admin panel and copying down the name next to the Tailscale logo in the upper left hand corner of the page.

api-key

Required An API key authorized for your tailnet. You can get one in the admin panel.

Please note that API keys will expire in 90 days. Set up a monthly event to rotate your Tailscale API key.

policy-file

Optional The path to your policy file in the repository. If not set this defaults to policy.hujson in the root of your repository.

action

Required One of test or apply. If you set test, the action will run ACL tests and not update the ACLs in Tailscale. If you set apply, the action will run ACL tests and then update the ACLs in Tailscale. This enables you to use pull requests to make changes with CI stopping you from pushing a bad change out to production.

Getting Started

Set up a new GitHub repository that will contain your ACL files. Open the admin panel ACL editor and copy your rules to a file in that repo called policy.hujson.

If you want to change this name to something else, you will need to add the policy-file argument to the with blocks in your GitHub Actions config.

Copy this file to .github/workflows/tailscale.yml.

name: Tailscale ACL syncing

on:
  push:
    branches: [ "main" ]
  pull_request:
    branches: [ "main" ]

jobs:
  acls:
    runs-on: ubuntu-latest

    steps:
      - uses: actions/checkout@v3

      - name: Fetch old version info
        id: fetch-old-version
        uses: actions/cache@v3
        with:
          path: .
          key: version-cache.json

      - name: Deploy ACL
        if: github.event_name == 'push'
        id: deploy-acl
        uses: tailscale/[email protected]
        with:
          api-key: ${{ secrets.TS_API_KEY }}
          tailnet: ${{ secrets.TS_TAILNET }}
          action: apply

      - name: Test ACL
        if: github.event_name == 'pull_request'
        id: test-acl
        uses: tailscale/[email protected]
        with:
          api-key: ${{ secrets.TS_API_KEY }}
          tailnet: ${{ secrets.TS_TAILNET }}
          action: test

Generate a new API key here.

Set a monthly calendar reminder to renew this key because Tailscale does not currently support API key renewal (this will be updated to support that when that feature is implemented).

Then open the secrets settings for your repo and add two secrets:

  • TS_API_KEY: Your Tailscale API key from the earlier step
  • TS_TAILNET: Your tailnet's name (it's next to the logo on the upper left-hand corner of the admin panel)

Once you do that, commit the changes and push them to GitHub. You will have CI automatically test and push your ACL changes to Tailscale.

About

GitOps for your Tailscale ACLs

Resources

Readme
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

1 tags

Packages

No packages published

Languages

  • Dockerfile 83.7%
  • Shell 16.3%