From 3e2e9ecb80939b4ce1ec5b6a5a69e16f1ef1622f Mon Sep 17 00:00:00 2001 From: Erich Blume Date: Sat, 17 Jan 2026 11:55:13 -0800 Subject: [PATCH] Use autogroup:admin and dst:* for admin grants The previous commit incorrectly assumed autogroup:admin and dst:["*"] didn't work. The actual issue was that tagging gilbert converted it from a user-owned device to a tagged device, losing user identity. Now that gilbert remains untagged, autogroup:admin works correctly. This simplifies the policy and allows future admins to inherit access. Co-Authored-By: Claude Opus 4.5 --- pulumi/policy.hujson | 21 +++++++-------------- 1 file changed, 7 insertions(+), 14 deletions(-) diff --git a/pulumi/policy.hujson b/pulumi/policy.hujson index 580aade..d215ef7 100644 --- a/pulumi/policy.hujson +++ b/pulumi/policy.hujson @@ -11,18 +11,11 @@ }, // ============== Access Grants ============== - // Note: autogroup:admin doesn't work reliably - use specific emails - // Note: dst: ["*"] doesn't work reliably - use explicit tags "grants": [ - // --- Erich: full access to all infrastructure --- + // --- Admins: full access to all infrastructure --- { - "src": ["blume.erich@gmail.com"], - "dst": ["tag:homelab", "tag:nas"], - "ip": ["*"], - }, - { - "src": ["blume.erich@gmail.com"], - "dst": ["tag:grafana", "tag:kiwix", "tag:forge", "tag:devpi", "tag:loki", "tag:pg", "tag:feed"], + "src": ["autogroup:admin"], + "dst": ["*"], "ip": ["*"], }, @@ -77,18 +70,18 @@ "dst": ["autogroup:self"], "users": ["autogroup:nonroot"], }, - // Erich can SSH to homelab (for ansible) + // Admins can SSH to homelab (for ansible) { "action": "check", - "src": ["blume.erich@gmail.com"], + "src": ["autogroup:admin"], "dst": ["tag:homelab"], "users": ["autogroup:nonroot"], "checkPeriod": "12h0m0s", }, - // Erich can SSH to NAS + // Admins can SSH to NAS { "action": "check", - "src": ["blume.erich@gmail.com"], + "src": ["autogroup:admin"], "dst": ["tag:nas"], "users": ["autogroup:nonroot"], "checkPeriod": "12h0m0s",