Erich Blume 27d8f3cf1f Review gandi-operations doc and reorganize how-to guides (#200 )

## Summary
- **Doc review:** Reviewed `gandi-operations.md` — added `last-reviewed` frontmatter, verified all wiki-links, confirmed Pulumi state has no drift
- **Gandi reference fix:** Added missing `cv.eblu.me` CNAME row to `gandi.md` DNS records table (was present in Pulumi but undocumented)
- **Pulumi comment fix:** Updated stale `README.md` reference in `__main__.py` to point to `docs/how-to/gandi-operations.md`
- **How-to reorg:** Moved 14 how-to guides into 3 subdirectories (`deployment/`, `configuration/`, `operations/`), collapsed the Documentation and Database index sections into Configuration and Operations respectively

## Verification
- `docs-check-links` — all 180 wiki-links valid
- `docs-check-filenames` — all 90 filenames unique
- `dns-preview` — 5 resources unchanged, no drift
- All pre-commit hooks pass

## Test plan
- [ ] Verify docs site builds correctly with new paths
- [ ] Spot-check a few wiki-links from other pages to moved how-to guides

Reviewed-on: https://forge.ops.eblu.me/eblume/blumeops/pulls/200

2026-02-17 07:29:33 -08:00

2 KiB

Raw Blame History

title

modified

Update Tailscale ACLs

How to modify Tailscale access control policies for the tailnet.

Prerequisites

Pulumi CLI installed (brew install pulumi)
Access to 1Password blumeops vault (for OAuth credentials)

Edit the Policy

The ACL policy lives in pulumi/policy.hujson (HuJSON format with comments).

Common changes:

Add a new ACL rule

{
  "acls": [
    // ... existing rules ...
    {
      "action": "accept",
      "src": ["autogroup:admin"],
      "dst": ["tag:newservice:*"]
    }
  ]
}

Add a new tag

{
  "tagOwners": {
    // ... existing tags ...
    "tag:newservice": ["autogroup:admin"]
  }
}

Add a new group

{
  "groups": {
    // ... existing groups ...
    "group:newgroup": ["user1@example.com", "user2@example.com"]
  }
}

Preview and Apply

# Preview changes (always do this first)
mise run tailnet-preview

# Apply changes
mise run tailnet-up

# Skip confirmation prompt
mise run tailnet-up -- --yes

Verify

Check the Tailscale admin console at https://login.tailscale.com/ to confirm changes.

Common Patterns

Service-specific access

Grant access to a specific service port:

{
  "action": "accept",
  "src": ["group:users"],
  "dst": ["tag:homelab:8080"]
}

SSH access

{
  "ssh": [
    {
      "action": "check",
      "src": ["autogroup:admin"],
      "dst": ["tag:servers"],
      "users": ["autogroup:nonroot"]
    }
  ]
}

All ports for admins

{
  "action": "accept",
  "src": ["autogroup:admin"],
  "dst": ["*:*"]
}

Troubleshooting

"Credential expired" error: Re-authenticate Pulumi with Tailscale. The OAuth token may need refreshing.

Changes not taking effect: ACL changes are applied immediately. If a device isn't following new rules, try tailscale down && tailscale up on that device.

tailscale - ACL reference and current configuration
routing - Service routing

2 KiB Raw Blame History