From b4b8abb2d9ea30d111fbee8f95eb1da6c622a3a9 Mon Sep 17 00:00:00 2001
From: Erich Blume <blume.erich@gmail.com>
Date: Sat, 24 Jan 2026 19:38:02 -0800
Subject: [PATCH] Add tag:ci-gateway to Tailscale ACL for CI builds

- Add tag:ci-gateway to tagOwners
- Grant ci-gateway access to registry on port 443
- Add test for ci-gateway -> registry access

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
---
 pulumi/policy.hujson | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/pulumi/policy.hujson b/pulumi/policy.hujson
index 037f085..9949ade 100644
--- a/pulumi/policy.hujson
+++ b/pulumi/policy.hujson
@@ -60,6 +60,14 @@
 			"ip":  ["*"],
 		},
 
+		// --- CI Gateway ---
+		// Ephemeral CI containers can push images to registry
+		{
+			"src": ["tag:ci-gateway"],
+			"dst": ["tag:registry"],
+			"ip":  ["tcp:443"],
+		},
+
 		// --- Kubernetes workloads ---
 		// k8s workloads (e.g., Woodpecker CI) can push/pull from registry
 		{
@@ -127,6 +135,7 @@
 		"tag:k8s-api": ["autogroup:admin", "tag:blumeops"],
 		"tag:k8s-operator": ["autogroup:admin", "tag:blumeops"],
 		"tag:k8s": ["autogroup:admin", "tag:blumeops", "tag:k8s-operator"],
+		"tag:ci-gateway": ["autogroup:admin", "tag:blumeops"],
 	},
 
 	// ============== ACL Tests ==============
@@ -152,5 +161,10 @@
 			"src":    "tag:k8s",
 			"accept": ["tag:registry:443", "tag:homelab:3001", "tag:homelab:2200"],
 		},
+		// CI gateway can push to registry
+		{
+			"src":    "tag:ci-gateway",
+			"accept": ["tag:registry:443"],
+		},
 	],
 }