eblume/blumeops
1
1
Fork 0
Code Issues Pull requests Projects Releases 83 Packages Wiki Activity Actions
blumeops/pulumi/tailscale/policy.hujson
Erich Blume 630ebcd12d Add ringtail DeviceTags and homelab-to-homelab SSH rule (#210) 
## Summary
- Add `ringtail` DeviceTags Pulumi resource with `tag:homelab` + `tag:blumeops` (matching indri/sifaka pattern)
- Remove the bootstrap `ringtail_key` auth key — ringtail is already on the tailnet
- Add SSH ACL rule allowing `tag:homelab` → `tag:homelab` SSH, unblocking cross-host management (e.g., ringtail running ansible against indri)

## Deployment and Testing
- [ ] `mise run tailnet-preview` — dry run, confirm diff
- [ ] `mise run tailnet-up` — apply
- [ ] From ringtail: `ssh indri 'hostname'` — should succeed

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Reviewed-on: https://forge.ops.eblu.me/eblume/blumeops/pulls/210
2026-02-18 21:48:11 -08:00

203 lines
5.6 KiB
Text
Raw Blame History

// Tailnet ACL policy for tail8d86e.ts.net
// Managed by blumeops-pulumi
{
// ============== Groups ==============
"groups": {
// Placeholder for future Jellyfin media access
"group:allisonflix": [
"blume.erich@gmail.com",
"acmdavis@gmail.com",
],
},
// ============== Access Grants ==============
"grants": [
// --- Admins: full access to all infrastructure ---
{
"src": ["autogroup:admin"],
"dst": ["*"],
"ip": ["*"],
},
// --- Members: user-facing services only ---
// Kiwix, Forge, devpi, Miniflux, PostgreSQL
{
"src": ["autogroup:member"],
"dst": ["tag:kiwix"],
"ip": ["tcp:443"],
},
{
"src": ["autogroup:member"],
"dst": ["tag:forge"],
"ip": ["tcp:443", "tcp:22"],
},
{
"src": ["autogroup:member"],
"dst": ["tag:devpi"],
"ip": ["tcp:443"],
},
{
"src": ["autogroup:member"],
"dst": ["tag:feed"],
"ip": ["tcp:443"],
},
{
"src": ["autogroup:member"],
"dst": ["tag:pg"],
"ip": ["tcp:5432"],
},
// Note: No member access to grafana, loki, or NAS
// --- Infrastructure ---
{
"src": ["tag:homelab"],
"dst": ["tag:homelab"],
"ip": ["*"],
},
{
"src": ["tag:homelab"],
"dst": ["tag:nas"],
"ip": ["*"],
},
// --- Fly.io proxy ---
// Public reverse proxy can only reach explicitly tagged endpoints
{
"src": ["tag:flyio-proxy"],
"dst": ["tag:flyio-target"],
"ip": ["tcp:443"],
},
// --- CI Gateway ---
// Ephemeral CI containers can push images to registry
{
"src": ["tag:ci-gateway"],
"dst": ["tag:registry"],
"ip": ["tcp:443"],
},
// --- Kubernetes workloads ---
// k8s workloads (e.g., Woodpecker CI) can push/pull from registry
{
"src": ["tag:k8s"],
"dst": ["tag:registry"],
"ip": ["tcp:443"],
},
// k8s workloads (e.g., ArgoCD) can access forge on indri for GitOps
// HTTP on 3001, SSH on 2200
{
"src": ["tag:k8s"],
"dst": ["tag:homelab"],
"ip": ["tcp:3001", "tcp:2200"],
},
// Homelab can reach k8s services: PostgreSQL, CNPG metrics, Prometheus/Loki
{
"src": ["tag:homelab"],
"dst": ["tag:k8s"],
"ip": ["tcp:443", "tcp:5432", "tcp:9187"],
},
],
// ============== SSH Access ==============
"ssh": [
// Members can SSH to their own devices
{
"action": "check",
"src": ["autogroup:member"],
"dst": ["autogroup:self"],
"users": ["autogroup:nonroot"],
},
// Admins can SSH to homelab (for ansible)
{
"action": "check",
"src": ["autogroup:admin"],
"dst": ["tag:homelab"],
"users": ["autogroup:nonroot"],
"checkPeriod": "12h0m0s",
},
// Admins can SSH to NAS
{
"action": "check",
"src": ["autogroup:admin"],
"dst": ["tag:nas"],
"users": ["autogroup:nonroot"],
"checkPeriod": "12h0m0s",
},
// Homelab can SSH to homelab (for ansible, cross-host management)
// Tagged devices can't do interactive "check" auth, so use "accept".
{
"action": "accept",
"src": ["tag:homelab"],
"dst": ["tag:homelab"],
"users": ["autogroup:nonroot"],
},
],
// ============== Auto Approvers ==============
// Allow ProxyGroup pods (tag:k8s) to auto-approve VIP Services
// Required for multi-cluster Ingress per Tailscale docs
"autoApprovers": {
"services": {
"tag:k8s": ["tag:k8s"],
},
},
// ============== Tag Owners ==============
"tagOwners": {
"tag:blumeops": ["autogroup:admin", "tag:blumeops"],
"tag:homelab": ["autogroup:admin", "tag:blumeops"],
"tag:workstation": ["autogroup:admin", "tag:blumeops"],
"tag:nas": ["autogroup:admin", "tag:blumeops"],
"tag:grafana": ["autogroup:admin", "tag:blumeops"],
"tag:kiwix": ["autogroup:admin", "tag:blumeops"],
"tag:forge": ["autogroup:admin", "tag:blumeops"],
"tag:devpi": ["autogroup:admin", "tag:blumeops"],
"tag:loki": ["autogroup:admin", "tag:blumeops"],
"tag:pg": ["autogroup:admin", "tag:blumeops"],
"tag:feed": ["autogroup:admin", "tag:blumeops"],
"tag:registry": ["autogroup:admin", "tag:blumeops"],
"tag:k8s-api": ["autogroup:admin", "tag:blumeops"],
"tag:k8s-operator": ["autogroup:admin", "tag:blumeops"],
"tag:k8s": ["autogroup:admin", "tag:blumeops", "tag:k8s-operator"],
"tag:ci-gateway": ["autogroup:admin", "tag:blumeops"],
"tag:flyio-proxy": ["autogroup:admin", "tag:blumeops"],
"tag:flyio-target": ["autogroup:admin", "tag:blumeops", "tag:k8s-operator"],
},
// ============== ACL Tests ==============
"tests": [
// Erich can access everything
{
"src": "blume.erich@gmail.com",
"accept": ["tag:grafana:443", "tag:kiwix:443", "tag:feed:443", "tag:loki:3100", "tag:pg:5432", "tag:homelab:22", "tag:registry:443", "tag:k8s-api:443"],
},
// Allison can access user services but NOT grafana, loki, or NAS
{
"src": "acmdavis@gmail.com",
"accept": ["tag:kiwix:443", "tag:forge:443", "tag:feed:443", "tag:pg:5432"],
"deny": ["tag:grafana:443", "tag:loki:3100", "tag:nas:445", "tag:registry:443", "tag:k8s-api:443"],
},
// Homelab can reach homelab, NAS, and k8s services (postgres, metrics, prometheus/loki)
{
"src": "tag:homelab",
"accept": ["tag:homelab:22", "tag:nas:445", "tag:k8s:443", "tag:k8s:5432", "tag:k8s:9187"],
},
// K8s workloads can reach registry and forge (on indri:3001 HTTP, :2200 SSH)
{
"src": "tag:k8s",
"accept": ["tag:registry:443", "tag:homelab:3001", "tag:homelab:2200"],
},
// CI gateway can push to registry
{
"src": "tag:ci-gateway",
"accept": ["tag:registry:443"],
},
// Fly.io proxy can only reach flyio-target tagged endpoints, nothing else
{
"src": "tag:flyio-proxy",
"accept": ["tag:flyio-target:443"],
"deny": ["tag:k8s:443", "tag:homelab:443", "tag:homelab:22", "tag:nas:445", "tag:registry:443"],
},
],
}
Reference in a new issue View git blame Copy permalink