From 83956afe92d9d902cf8d33e4f7bb94618f5fe1de Mon Sep 17 00:00:00 2001
From: Erich Blume <blume.erich@gmail.com>
Date: Sat, 17 Jan 2026 20:10:36 -0800
Subject: [PATCH] Add tag:registry for Zot container registry

Phase 0 of k8s migration: Add registry tag to ACLs.
- Admins get full access via wildcard grant
- Members denied access (infrastructure only)
- Enables tailscale serve for registry.tail8d86e.ts.net

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
---
 pulumi/policy.hujson | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/pulumi/policy.hujson b/pulumi/policy.hujson
index d215ef7..ff4d98b 100644
--- a/pulumi/policy.hujson
+++ b/pulumi/policy.hujson
@@ -101,6 +101,7 @@
 		"tag:loki": ["autogroup:admin", "tag:blumeops"],
 		"tag:pg": ["autogroup:admin", "tag:blumeops"],
 		"tag:feed": ["autogroup:admin", "tag:blumeops"],
+		"tag:registry": ["autogroup:admin", "tag:blumeops"],
 	},
 
 	// ============== ACL Tests ==============
@@ -108,13 +109,13 @@
 		// Erich can access everything
 		{
 			"src":    "blume.erich@gmail.com",
-			"accept": ["tag:grafana:443", "tag:kiwix:443", "tag:feed:443", "tag:loki:3100", "tag:pg:5432", "tag:homelab:22"],
+			"accept": ["tag:grafana:443", "tag:kiwix:443", "tag:feed:443", "tag:loki:3100", "tag:pg:5432", "tag:homelab:22", "tag:registry:443"],
 		},
 		// Allison can access user services but NOT grafana, loki, or NAS
 		{
 			"src":    "acmdavis@gmail.com",
 			"accept": ["tag:kiwix:443", "tag:forge:443", "tag:feed:443", "tag:pg:5432"],
-			"deny":   ["tag:grafana:443", "tag:loki:3100", "tag:nas:445"],
+			"deny":   ["tag:grafana:443", "tag:loki:3100", "tag:nas:445", "tag:registry:443"],
 		},
 		// Homelab can reach homelab and NAS
 		{