From 018b44186f44f03ed1dd73bd0a41e7c2b61f84c4 Mon Sep 17 00:00:00 2001
From: Erich Blume <blume.erich@gmail.com>
Date: Sat, 24 Jan 2026 11:03:02 -0800
Subject: [PATCH] Add tag:ci-gateway for Forgejo runner Tailscale sidecar

- Add ci-gateway tag owner (admin and blumeops can assign)
- Grant ci-gateway access to forge:443 for git operations
- Grant ci-gateway access to registry:443 for container push/pull
- Add ACL test for ci-gateway access

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
---
 pulumi/policy.hujson | 20 ++++++++++++++++++++
 1 file changed, 20 insertions(+)

diff --git a/pulumi/policy.hujson b/pulumi/policy.hujson
index 7f18820..789bd96 100644
--- a/pulumi/policy.hujson
+++ b/pulumi/policy.hujson
@@ -74,6 +74,20 @@
 			"dst": ["tag:homelab"],
 			"ip":  ["tcp:3001", "tcp:2200"],
 		},
+
+		// --- CI Gateway (Tailscale sidecar for Forgejo runner jobs) ---
+		// Can reach Forge for git clone operations
+		{
+			"src": ["tag:ci-gateway"],
+			"dst": ["tag:forge"],
+			"ip":  ["tcp:443"],
+		},
+		// Can reach registry to push/pull container images
+		{
+			"src": ["tag:ci-gateway"],
+			"dst": ["tag:registry"],
+			"ip":  ["tcp:443"],
+		},
 		// Homelab can reach k8s services: PostgreSQL, CNPG metrics, Prometheus/Loki
 		{
 			"src": ["tag:homelab"],
@@ -126,6 +140,7 @@
 		"tag:k8s-api": ["autogroup:admin", "tag:blumeops"],
 		"tag:k8s-operator": ["autogroup:admin", "tag:blumeops"],
 		"tag:k8s": ["autogroup:admin", "tag:blumeops", "tag:k8s-operator"],
+		"tag:ci-gateway": ["autogroup:admin", "tag:blumeops"],
 	},
 
 	// ============== ACL Tests ==============
@@ -151,5 +166,10 @@
 			"src":    "tag:k8s",
 			"accept": ["tag:registry:443", "tag:homelab:3001", "tag:homelab:2200"],
 		},
+		// CI gateway can reach forge and registry
+		{
+			"src":    "tag:ci-gateway",
+			"accept": ["tag:forge:443", "tag:registry:443"],
+		},
 	],
 }