The previous commit incorrectly assumed autogroup:admin and dst:["*"]
didn't work. The actual issue was that tagging gilbert converted it
from a user-owned device to a tagged device, losing user identity.
Now that gilbert remains untagged, autogroup:admin works correctly.
This simplifies the policy and allows future admins to inherit access.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Key learnings from debugging:
- autogroup:admin and dst: ["*"] don't work reliably in grants
- Tagging user-owned devices converts them to "tagged devices",
losing user identity and breaking user-based SSH rules
Changes:
- Use blume.erich@gmail.com directly instead of autogroup:admin
- Use explicit tag destinations instead of wildcards
- Remove gilbert from Pulumi tagging (keep as user-owned device)
- Restore SSH with check action for MFA
- Add ACL tests for access validation
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Replace permissive wildcard ACL with specific service grants:
- Admin: full access to all services including NAS
- Member: user-facing services only (no Grafana/Loki/NAS)
- Infrastructure tags for device-to-device communication
Add device tagging via Pulumi:
- gilbert (workstation) - informational tag only
- sifaka (NAS) - backup target for homelab, admin-only access
- indri already tagged as homelab with service tags
SSH hardening:
- Remove root SSH access
- Use "check" action with MFA for all SSH rules
- Admin can SSH to homelab, workstation, nas, self
Add ACL tests to validate policy behavior on save.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
