Erich Blume
e6cf7e47e0
All checks were successful
Deploy Fly.io Proxy / deploy (push) Successful in 1m8s
## Summary - Introduce `tag:flyio-target` so services must explicitly opt in to be reachable by the fly.io proxy - Replace broad `tag:k8s` and `tag:homelab` grants with the new tag in the ACL rule and test - Add `tailscale.com/tags: "tag:k8s,tag:flyio-target"` annotation to docs, loki, and prometheus Ingresses - Switch Alloy push endpoints from `*.ops.eblu.me` (Caddy) to `*.tail8d86e.ts.net` (Tailscale Ingress) - Update docs: flyio-proxy, caddy, tailscale, forgejo (future public access + security checklist), expose-service-publicly ## Manual step (not in PR) Update the k8s operator OAuth client in the Tailscale admin console to include `tag:flyio-target` in its scope. Without this, the operator cannot assign the new tag to Ingress proxy nodes. ## Deployment order 1. **Pulumi ACLs** — `mise run tailnet-preview && mise run tailnet-up` 2. **OAuth client** — Manual update in Tailscale admin console 3. **K8s Ingresses** — `argocd app sync apps && argocd app sync docs loki prometheus` 4. **Fly.io proxy** — `mise run fly-deploy` 5. **Verify** — `mise run services-check`, check Grafana dashboards ## Test plan - [ ] `mise run tailnet-preview` shows clean diff - [ ] `argocd app diff docs`, `argocd app diff loki`, `argocd app diff prometheus` show only annotation additions - [ ] After deploy: Grafana dashboards show continued log/metric flow - [ ] `curl -sf https://docs.eblu.me` returns 200 - [ ] `mise run services-check` passes 🤖 Generated with [Claude Code](https://claude.com/claude-code) Reviewed-on: https://forge.ops.eblu.me/eblume/blumeops/pulls/126
2 KiB
2 KiB
| title | tags | ||
|---|---|---|---|
| Tailscale |
|
Tailscale
Tailnet tail8d86e.ts.net provides secure networking for all BlumeOps infrastructure.
ACL Management
ACLs managed via Pulumi in pulumi/policy.hujson.
Groups
| Group | Members | Purpose |
|---|---|---|
group:allisonflix |
admin, member | jellyfin media access |
Device Tags
| Tag | Devices | Purpose |
|---|---|---|
tag:homelab |
indri | Server infrastructure |
tag:nas |
sifaka | Network-attached storage |
tag:blumeops |
indri, sifaka | Pulumi IaC managed resources |
tag:registry |
indri | Container registry access |
tag:k8s-api |
indri | Kubernetes API server access |
tag:k8s-operator |
(operator pod) | Tailscale operator for k8s |
tag:k8s |
(Ingress proxy pods) | Kubernetes Tailscale Ingress nodes |
tag:flyio-target |
(k8s Ingress nodes) | Endpoints reachable by fly.io proxy |
Important: Don't tag user-owned devices (like gilbert). Tagging converts them to "tagged devices" which lose user identity and break user-based SSH rules.
Access Matrix
| Source | Kiwix | Forge | PyPI | Miniflux | PostgreSQL | NAS | Grafana | Loki |
|---|---|---|---|---|---|---|---|---|
autogroup:admin |
Y | Y | Y | Y | Y | Y | Y | Y |
autogroup:member |
Y | Y | Y | Y | Y | - | - | - |
tag:homelab |
- | - | - | - | - | Y | - | - |
- Admins - full access to all services
- Members - member services only, no Grafana/Loki/NAS
SSH Access
| Source | Destinations | Auth |
|---|---|---|
autogroup:member |
autogroup:self |
check |
autogroup:admin |
tag:homelab |
check (12h) |
autogroup:admin |
tag:nas |
check (12h) |
OAuth Credentials
Pulumi uses OAuth client from 1Password (blumeops vault):
- Scopes: acl, dns, devices, services
- Auto-applies
tag:blumeopsto IaC-managed resources