From e4b930d4f4a8ff37477505aab4c4bd760b6efb16 Mon Sep 17 00:00:00 2001
From: Erich Blume <blume.erich@gmail.com>
Date: Wed, 18 Feb 2026 21:40:00 -0800
Subject: [PATCH] Use accept action for homelab-to-homelab SSH rule
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Tagged devices cannot perform interactive browser-based "check" auth,
so use "accept" for tag:homelab → tag:homelab SSH.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 pulumi/tailscale/policy.hujson | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/pulumi/tailscale/policy.hujson b/pulumi/tailscale/policy.hujson
index 417c1fa..e24ca48 100644
--- a/pulumi/tailscale/policy.hujson
+++ b/pulumi/tailscale/policy.hujson
@@ -125,12 +125,12 @@
 			"checkPeriod": "12h0m0s",
 		},
 		// Homelab can SSH to homelab (for ansible, cross-host management)
+		// Tagged devices can't do interactive "check" auth, so use "accept".
 		{
-			"action": "check",
+			"action": "accept",
 			"src":    ["tag:homelab"],
 			"dst":    ["tag:homelab"],
 			"users":  ["autogroup:nonroot"],
-			"checkPeriod": "12h0m0s",
 		},
 	],