Fix Step 0.1: Use correct policy.hujson structure

- Use 'grants' not 'acls' (that's the newer format) - Show exact line numbers and locations for each change - Include tagOwners, grants, and tests sections - Follow existing pattern with tag:blumeops in tagOwners Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-01-17 13:42:19 -08:00 · 2026-01-17 13:42:19 -08:00 · ee42f0f1a2
commit ee42f0f1a2
parent 26113aee42
1 changed files with 16 additions and 9 deletions
--- a/docs/k8s-migration.md
+++ b/docs/k8s-migration.md
@ -84,23 +84,30 @@ This applies to all mcquack LaunchAgents (zot, devpi, kiwix, borgmatic, metrics
 - `pulumi/policy.hujson`

 **Changes:**
-Add new tags and ACL rules:
-```hujson
-// In tagOwners section
-"tag:registry": ["autogroup:admin"],
-"tag:k8s":      ["autogroup:admin"],

-// In acls section - add registry access
+1. Add new tags to `tagOwners` section (around line 104, after `"tag:feed"`):
+```hujson
+"tag:registry": ["autogroup:admin", "tag:blumeops"],
+"tag:k8s":      ["autogroup:admin", "tag:blumeops"],
+```
+
+2. Add registry grant to `grants` section (around line 48, after the `tag:pg` grant):
+```hujson
 {
-  "action": "accept",
-  "src":    ["autogroup:member"],
-  "dst":    ["tag:registry:443"],
+	"src": ["autogroup:member"],
+	"dst": ["tag:registry"],
+	"ip":  ["tcp:443"],
 },
 ```

+3. Add test case to `tests` section (update Erich's accept list around line 111):
+```hujson
+"accept": ["tag:grafana:443", "tag:kiwix:443", "tag:feed:443", "tag:loki:3100", "tag:pg:5432", "tag:homelab:22", "tag:registry:443"],
+```
+
 **Testing:**
 ```bash
-mise run tailnet-preview   # Review changes
+mise run tailnet-preview   # Review changes - should show new tags and grants
 mise run tailnet-up        # Apply changes
 ```