diff --git a/ansible/playbooks/indri.yml b/ansible/playbooks/indri.yml
index 09779ec..b12e905 100644
--- a/ansible/playbooks/indri.yml
+++ b/ansible/playbooks/indri.yml
@@ -78,23 +78,6 @@
       no_log: true
       tags: [forgejo_runner]
 
-    # Tailscale CI gateway auth key (for job container tailnet access)
-    - name: Fetch tailscale ci-gateway auth key
-      ansible.builtin.command:
-        cmd: op --vault vg6xf6vvfmoh5hqjjhlhbeoaie item get w3663ffnvkewbftncqxtcpeavy --fields ci-gateway-ts-auth-key --reveal
-      delegate_to: localhost
-      register: _tailscale_ci_gateway_auth_key
-      changed_when: false
-      no_log: true
-      check_mode: false
-      tags: [tailscale_ci_gateway]
-
-    - name: Set tailscale ci-gateway auth key fact
-      ansible.builtin.set_fact:
-        tailscale_ci_gateway_auth_key: "{{ _tailscale_ci_gateway_auth_key.stdout }}"
-      no_log: true
-      tags: [tailscale_ci_gateway]
-
   roles:
     - role: alloy
       tags: alloy
@@ -116,7 +99,5 @@
       tags: plex_metrics
     - role: tailscale_serve
       tags: tailscale-serve
-    - role: tailscale_ci_gateway
-      tags: tailscale_ci_gateway
     - role: forgejo_runner
       tags: forgejo_runner
diff --git a/ansible/roles/tailscale_ci_gateway/defaults/main.yml b/ansible/roles/tailscale_ci_gateway/defaults/main.yml
deleted file mode 100644
index 707df2e..0000000
--- a/ansible/roles/tailscale_ci_gateway/defaults/main.yml
+++ /dev/null
@@ -1,9 +0,0 @@
----
-# Tailscale CI Gateway - provides tailnet access for Forgejo runner job containers
-
-tailscale_ci_gateway_state_dir: /Users/erichblume/.tailscale-ci-gateway
-tailscale_ci_gateway_network: tailnet-jobs
-tailscale_ci_gateway_network_subnet: "172.30.0.0/24"
-tailscale_ci_gateway_container_name: tailscale-ci-gateway
-tailscale_ci_gateway_hostname: ci-gateway
-tailscale_ci_gateway_image: tailscale/tailscale:latest
diff --git a/ansible/roles/tailscale_ci_gateway/handlers/main.yml b/ansible/roles/tailscale_ci_gateway/handlers/main.yml
deleted file mode 100644
index e35e9b9..0000000
--- a/ansible/roles/tailscale_ci_gateway/handlers/main.yml
+++ /dev/null
@@ -1,7 +0,0 @@
----
-- name: Restart tailscale-ci-gateway
-  listen: Restart tailscale-ci-gateway
-  ansible.builtin.shell: |
-    launchctl unload ~/Library/LaunchAgents/mcquack.tailscale-ci-gateway.plist 2>/dev/null || true
-    launchctl load ~/Library/LaunchAgents/mcquack.tailscale-ci-gateway.plist
-  changed_when: true
diff --git a/ansible/roles/tailscale_ci_gateway/tasks/main.yml b/ansible/roles/tailscale_ci_gateway/tasks/main.yml
deleted file mode 100644
index 99f1948..0000000
--- a/ansible/roles/tailscale_ci_gateway/tasks/main.yml
+++ /dev/null
@@ -1,46 +0,0 @@
----
-# Tailscale CI Gateway role
-# Manages a Tailscale container that provides tailnet access for CI job containers
-
-- name: Ensure state directory exists
-  ansible.builtin.file:
-    path: "{{ tailscale_ci_gateway_state_dir }}"
-    state: directory
-    mode: "0700"
-
-- name: Check if Docker network exists
-  ansible.builtin.command:
-    cmd: docker network inspect {{ tailscale_ci_gateway_network }}
-  register: tailscale_ci_gateway_network_check
-  failed_when: false
-  changed_when: false
-
-- name: Create Docker network for CI jobs
-  ansible.builtin.command:
-    cmd: >-
-      docker network create
-      --driver bridge
-      --subnet {{ tailscale_ci_gateway_network_subnet }}
-      {{ tailscale_ci_gateway_network }}
-  when: tailscale_ci_gateway_network_check.rc != 0
-  changed_when: true
-
-- name: Pull Tailscale image
-  ansible.builtin.command:
-    cmd: docker pull {{ tailscale_ci_gateway_image }}
-  register: tailscale_ci_gateway_pull
-  changed_when: "'Downloaded newer image' in tailscale_ci_gateway_pull.stdout or 'Pull complete' in tailscale_ci_gateway_pull.stdout"
-
-- name: Deploy launchd plist for Tailscale CI gateway
-  ansible.builtin.template:
-    src: tailscale-ci-gateway.plist.j2
-    dest: ~/Library/LaunchAgents/mcquack.tailscale-ci-gateway.plist
-    mode: "0644"
-  notify: Restart tailscale-ci-gateway
-
-- name: Ensure Tailscale CI gateway is loaded
-  ansible.builtin.command:
-    cmd: launchctl load ~/Library/LaunchAgents/mcquack.tailscale-ci-gateway.plist
-  register: tailscale_ci_gateway_load
-  failed_when: false
-  changed_when: tailscale_ci_gateway_load.rc == 0
diff --git a/ansible/roles/tailscale_ci_gateway/templates/tailscale-ci-gateway.plist.j2 b/ansible/roles/tailscale_ci_gateway/templates/tailscale-ci-gateway.plist.j2
deleted file mode 100644
index 7c223eb..0000000
--- a/ansible/roles/tailscale_ci_gateway/templates/tailscale-ci-gateway.plist.j2
+++ /dev/null
@@ -1,46 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
-<plist version="1.0">
-<dict>
-    <key>Label</key>
-    <string>mcquack.tailscale-ci-gateway</string>
-
-    <key>ProgramArguments</key>
-    <array>
-        <string>/bin/bash</string>
-        <string>-c</string>
-        <string><![CDATA[
-# Stop and remove existing container if present
-/usr/local/bin/docker stop {{ tailscale_ci_gateway_container_name }} 2>/dev/null || true
-/usr/local/bin/docker rm {{ tailscale_ci_gateway_container_name }} 2>/dev/null || true
-
-# Run the container (foreground so launchd manages lifecycle)
-exec /usr/local/bin/docker run --rm \
-  --name {{ tailscale_ci_gateway_container_name }} \
-  --hostname {{ tailscale_ci_gateway_hostname }} \
-  --network {{ tailscale_ci_gateway_network }} \
-  --cap-add NET_ADMIN \
-  --cap-add NET_RAW \
-  -v {{ tailscale_ci_gateway_state_dir }}:/var/lib/tailscale \
-  -e TS_AUTHKEY="{{ tailscale_ci_gateway_auth_key }}" \
-  -e TS_STATE_DIR=/var/lib/tailscale \
-  -e TS_USERSPACE=false \
-  -e TS_ACCEPT_DNS=true \
-  -e TS_EXTRA_ARGS="--accept-routes" \
-  {{ tailscale_ci_gateway_image }}
-]]></string>
-    </array>
-
-    <key>RunAtLoad</key>
-    <true/>
-
-    <key>KeepAlive</key>
-    <true/>
-
-    <key>StandardOutPath</key>
-    <string>{{ ansible_env.HOME }}/Library/Logs/mcquack.tailscale-ci-gateway.out.log</string>
-
-    <key>StandardErrorPath</key>
-    <string>{{ ansible_env.HOME }}/Library/Logs/mcquack.tailscale-ci-gateway.err.log</string>
-</dict>
-</plist>
diff --git a/pulumi/policy.hujson b/pulumi/policy.hujson
index 789bd96..037f085 100644
--- a/pulumi/policy.hujson
+++ b/pulumi/policy.hujson
@@ -75,19 +75,6 @@
 			"ip":  ["tcp:3001", "tcp:2200"],
 		},
 
-		// --- CI Gateway (Tailscale sidecar for Forgejo runner jobs) ---
-		// Can reach Forge for git clone operations
-		{
-			"src": ["tag:ci-gateway"],
-			"dst": ["tag:forge"],
-			"ip":  ["tcp:443"],
-		},
-		// Can reach registry to push/pull container images
-		{
-			"src": ["tag:ci-gateway"],
-			"dst": ["tag:registry"],
-			"ip":  ["tcp:443"],
-		},
 		// Homelab can reach k8s services: PostgreSQL, CNPG metrics, Prometheus/Loki
 		{
 			"src": ["tag:homelab"],
@@ -140,7 +127,6 @@
 		"tag:k8s-api": ["autogroup:admin", "tag:blumeops"],
 		"tag:k8s-operator": ["autogroup:admin", "tag:blumeops"],
 		"tag:k8s": ["autogroup:admin", "tag:blumeops", "tag:k8s-operator"],
-		"tag:ci-gateway": ["autogroup:admin", "tag:blumeops"],
 	},
 
 	// ============== ACL Tests ==============
@@ -166,10 +152,5 @@
 			"src":    "tag:k8s",
 			"accept": ["tag:registry:443", "tag:homelab:3001", "tag:homelab:2200"],
 		},
-		// CI gateway can reach forge and registry
-		{
-			"src":    "tag:ci-gateway",
-			"accept": ["tag:forge:443", "tag:registry:443"],
-		},
 	],
 }