From 4e9c8c11f7a2b0bbae2994b3df8310eb6b580f8f Mon Sep 17 00:00:00 2001 From: Erich Blume Date: Fri, 16 Jan 2026 09:57:20 -0800 Subject: [PATCH] Add tag:blumeops as owner of service tags for IaC management The OAuth client acts as tag:blumeops, so it needs to own all tags it manages on devices. This enables Pulumi to set device tags automatically instead of requiring manual Tailscale admin console changes. Co-Authored-By: Claude Opus 4.5 --- pulumi/policy.hujson | 19 ++++++++++--------- 1 file changed, 10 insertions(+), 9 deletions(-) diff --git a/pulumi/policy.hujson b/pulumi/policy.hujson index d135b1a..45ad401 100644 --- a/pulumi/policy.hujson +++ b/pulumi/policy.hujson @@ -72,31 +72,32 @@ "tagOwners": { // Grafana service host tag - "tag:grafana": ["autogroup:admin"], + "tag:grafana": ["autogroup:admin", "tag:blumeops"], // This tag applies to instances which are meant to be accessible in my homelab. These instances can be SSH'ed in to by any member of the admin autogroup. - "tag:homelab": ["autogroup:admin"], + "tag:homelab": ["autogroup:admin", "tag:blumeops"], // Kiwix, a local wiki server. I use it to create mirrors of wikipedia. - "tag:kiwix": ["autogroup:admin"], + "tag:kiwix": ["autogroup:admin", "tag:blumeops"], // Service tag for forgejo, scm host and code forge - "tag:forge": ["autogroup:admin"], + "tag:forge": ["autogroup:admin", "tag:blumeops"], // devpi pypi index - "tag:devpi": ["autogroup:admin"], + "tag:devpi": ["autogroup:admin", "tag:blumeops"], // Loki log collection - "tag:loki": ["autogroup:admin"], + "tag:loki": ["autogroup:admin", "tag:blumeops"], // PostgreSQL database server - "tag:pg": ["autogroup:admin"], + "tag:pg": ["autogroup:admin", "tag:blumeops"], // Miniflux RSS/Atom feed reader - "tag:feed": ["autogroup:admin"], + "tag:feed": ["autogroup:admin", "tag:blumeops"], // This tag is applied to resources modified by blumeops-pulumi IaC - "tag:blumeops": ["autogroup:admin"], + // Includes itself so the OAuth client can apply it to devices + "tag:blumeops": ["autogroup:admin", "tag:blumeops"], }, // Test access rules every time they're saved.