Add Pulumi for tailnet IaC management #15

Merged

eblume merged 2 commits from feature/pulumi-tailnet-iac into main 2026-01-15 20:55:26 -08:00

Conversation 0 Commits 2 Files changed 13 +231

eblume commented 2026-01-15 20:25:12 -08:00

Owner

Copy link

Summary

• Manage tail8d86e.ts.net ACLs, tags, and DNS via Pulumi + Python
• State stored in Pulumi Cloud (free tier) to avoid circular dependency
• OAuth authentication via 1Password for secure credential management
• New mise tasks: tailnet-preview, tailnet-up

Architecture

Two-layer approach:

• Layer 1 (Pulumi): Tailnet-wide config (ACLs, tags, DNS)
• Layer 2 (Ansible): Node-local tailscale serve config (unchanged)

Test plan

• Exported current ACL from Tailscale API
• Imported existing ACL into Pulumi state
• Verified mise run tailnet-preview shows no changes
• Verified mise run tailnet-up applies successfully

🤖 Generated with Claude Code

## Summary - Manage tail8d86e.ts.net ACLs, tags, and DNS via Pulumi + Python - State stored in Pulumi Cloud (free tier) to avoid circular dependency - OAuth authentication via 1Password for secure credential management - New mise tasks: `tailnet-preview`, `tailnet-up` ## Architecture Two-layer approach: - **Layer 1 (Pulumi)**: Tailnet-wide config (ACLs, tags, DNS) - **Layer 2 (Ansible)**: Node-local `tailscale serve` config (unchanged) ## Test plan - [x] Exported current ACL from Tailscale API - [x] Imported existing ACL into Pulumi state - [x] Verified `mise run tailnet-preview` shows no changes - [x] Verified `mise run tailnet-up` applies successfully 🤖 Generated with [Claude Code](https://claude.com/claude-code)

eblume added 1 commit 2026-01-15 20:25:13 -08:00

Add Pulumi for tailnet IaC management ... 63e99998dd

- Manage tail8d86e.ts.net ACLs, tags, and DNS via Pulumi + Python
- State stored in Pulumi Cloud (free tier) to avoid circular dependency
- OAuth authentication via 1Password for secure credential management
- mise tasks: tailnet-preview, tailnet-up

Two-layer approach:
- Layer 1 (Pulumi): Tailnet-wide config (ACLs, tags, DNS)
- Layer 2 (Ansible): Node-local tailscale serve config (unchanged)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

eblume added 1 commit 2026-01-15 20:53:32 -08:00

Add tailscale_serve ansible role for Layer 2 IaC ... 6f244e6f4f

- Manage tailscale serve configuration declaratively via ansible
- Define services in defaults/main.yml (grafana, forge, kiwix, pypi)
- Role depends on service roles to ensure correct execution order
- Incremental idempotency: only apply if service missing

Two-layer tailnet IaC is now complete:
- Layer 1 (Pulumi): ACLs, tags, DNS
- Layer 2 (Ansible): tailscale serve config

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

eblume merged commit 3f4e40f3ae into main 2026-01-15 20:55:26 -08:00

eblume referenced this pull request from a commit 2026-01-15 20:55:27 -08:00

Add Pulumi for tailnet IaC management (#15)

Sign in to join this conversation.

Reviewers

No reviewers

Labels

Clear labels

No items

No labels

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

eblume/blumeops!15

No description provided.