From ee42f0f1a2e217d715e4cbc237d1f559a472f84d Mon Sep 17 00:00:00 2001 From: Erich Blume Date: Sat, 17 Jan 2026 13:42:19 -0800 Subject: [PATCH] Fix Step 0.1: Use correct policy.hujson structure - Use 'grants' not 'acls' (that's the newer format) - Show exact line numbers and locations for each change - Include tagOwners, grants, and tests sections - Follow existing pattern with tag:blumeops in tagOwners Co-Authored-By: Claude Opus 4.5 --- docs/k8s-migration.md | 27 +++++++++++++++++---------- 1 file changed, 17 insertions(+), 10 deletions(-) diff --git a/docs/k8s-migration.md b/docs/k8s-migration.md index bf0bdb8..c448a3d 100644 --- a/docs/k8s-migration.md +++ b/docs/k8s-migration.md @@ -84,23 +84,30 @@ This applies to all mcquack LaunchAgents (zot, devpi, kiwix, borgmatic, metrics - `pulumi/policy.hujson` **Changes:** -Add new tags and ACL rules: -```hujson -// In tagOwners section -"tag:registry": ["autogroup:admin"], -"tag:k8s": ["autogroup:admin"], -// In acls section - add registry access +1. Add new tags to `tagOwners` section (around line 104, after `"tag:feed"`): +```hujson +"tag:registry": ["autogroup:admin", "tag:blumeops"], +"tag:k8s": ["autogroup:admin", "tag:blumeops"], +``` + +2. Add registry grant to `grants` section (around line 48, after the `tag:pg` grant): +```hujson { - "action": "accept", - "src": ["autogroup:member"], - "dst": ["tag:registry:443"], + "src": ["autogroup:member"], + "dst": ["tag:registry"], + "ip": ["tcp:443"], }, ``` +3. Add test case to `tests` section (update Erich's accept list around line 111): +```hujson +"accept": ["tag:grafana:443", "tag:kiwix:443", "tag:feed:443", "tag:loki:3100", "tag:pg:5432", "tag:homelab:22", "tag:registry:443"], +``` + **Testing:** ```bash -mise run tailnet-preview # Review changes +mise run tailnet-preview # Review changes - should show new tags and grants mise run tailnet-up # Apply changes ```