Add ringtail DeviceTags and homelab-to-homelab SSH rule

Ringtail is already on the tailnet but had no DeviceTags resource — add one matching the indri/sifaka pattern. Remove the bootstrap auth key since ringtail is fully provisioned. Add an SSH ACL rule so tag:homelab devices can SSH to each other, which unblocks ansible/cross-host management from ringtail to indri. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-18 21:38:10 -08:00 · 2026-02-18 21:38:10 -08:00 · c87dd1c6d7
commit c87dd1c6d7
parent aa04618829
3 changed files with 24 additions and 13 deletions
--- a/docs/changelog.d/fix-tailscale-ssh-ringtail.infra.md
+++ b/docs/changelog.d/fix-tailscale-ssh-ringtail.infra.md
@ -0,0 +1 @@
+Add ringtail DeviceTags to Pulumi and allow homelab-to-homelab Tailscale SSH for cross-host ansible/management.
--- a/pulumi/tailscale/main.py
+++ b/pulumi/tailscale/main.py
@ -70,6 +70,18 @@ sifaka_tags = tailscale.DeviceTags(
    ],
 )

+# ringtail - NixOS gaming/compute workstation
+# Managed by this IaC after initial bootstrap via auth key.
+ringtail = tailscale.get_device(name="ringtail.tail8d86e.ts.net")
+ringtail_tags = tailscale.DeviceTags(
+    "ringtail-tags",
+    device_id=ringtail.node_id,
+    tags=[
+        "tag:homelab",  # Server role - allows SSH from workstations and homelab peers
+        "tag:blumeops",  # Managed by this IaC
+    ],
+)
+
 # ============== Auth Keys ==============

 # Auth key for Fly.io proxy container (public reverse proxy)
@ -82,26 +94,16 @@ flyio_key = tailscale.TailnetKey(
    expiry=7776000,  # 90 days
 )

-# Auth key for ringtail (gaming/compute workstation, NixOS)
-# Used during bootstrap: `tailscale up --auth-key=<key>`
-# Once ringtail is on the tailnet, add DeviceTags resource for ongoing management.
-ringtail_key = tailscale.TailnetKey(
-    "ringtail-key",
-    reusable=False,
-    ephemeral=False,
-    preauthorized=True,
-    tags=["tag:homelab", "tag:blumeops"],
-    expiry=86400,  # 24 hours - single use for bootstrap
-)
-
 # ============== Exports ==============
 pulumi.export("acl_id", acl.id)
 pulumi.export("policy_hash", policy_hash)
 pulumi.export("flyio_authkey", flyio_key.key)
-pulumi.export("ringtail_authkey", ringtail_key.key)

 pulumi.export("indri_device_id", indri.node_id)
 pulumi.export("indri_tags", indri_tags.tags)

 pulumi.export("sifaka_device_id", sifaka.node_id)
 pulumi.export("sifaka_tags", sifaka_tags.tags)
+
+pulumi.export("ringtail_device_id", ringtail.node_id)
+pulumi.export("ringtail_tags", ringtail_tags.tags)
--- a/pulumi/tailscale/policy.hujson
+++ b/pulumi/tailscale/policy.hujson
@ -124,6 +124,14 @@
 			"users":  ["autogroup:nonroot"],
 			"checkPeriod": "12h0m0s",
 		},
+		// Homelab can SSH to homelab (for ansible, cross-host management)
+		{
+			"action": "check",
+			"src":    ["tag:homelab"],
+			"dst":    ["tag:homelab"],
+			"users":  ["autogroup:nonroot"],
+			"checkPeriod": "12h0m0s",
+		},
 	],

 	// ============== Auto Approvers ==============
				`@ -0,0 +1 @@`
				`Add ringtail DeviceTags to Pulumi and allow homelab-to-homelab Tailscale SSH for cross-host ansible/management.`