blumeops/pulumi/policy.hujson

// Tailnet ACL policy for tail8d86e.ts.net
// Managed by blumeops-pulumi
{
	// ============== Groups ==============
	"groups": {
		// Placeholder for future Jellyfin media access
		"group:allisonflix": [
			"blume.erich@gmail.com",
			"acmdavis@gmail.com",
		],
	},

	// ============== Access Grants ==============
	"grants": [
		// --- Admins: full access to all infrastructure ---
		{
			"src": ["autogroup:admin"],
			"dst": ["*"],
			"ip":  ["*"],
		},

		// --- Members: user-facing services only ---
		// Kiwix, Forge, devpi, Miniflux, PostgreSQL
		{
			"src": ["autogroup:member"],
			"dst": ["tag:kiwix"],
			"ip":  ["tcp:443"],
		},
		{
			"src": ["autogroup:member"],
			"dst": ["tag:forge"],
			"ip":  ["tcp:443", "tcp:22"],
		},
		{
			"src": ["autogroup:member"],
			"dst": ["tag:devpi"],
			"ip":  ["tcp:443"],
		},
		{
			"src": ["autogroup:member"],
			"dst": ["tag:feed"],
			"ip":  ["tcp:443"],
		},
		{
			"src": ["autogroup:member"],
			"dst": ["tag:pg"],
			"ip":  ["tcp:5432"],
		},
		// Note: No member access to grafana, loki, or NAS

		// --- Infrastructure ---
		{
			"src": ["tag:homelab"],
			"dst": ["tag:homelab"],
			"ip":  ["*"],
		},
		{
			"src": ["tag:homelab"],
			"dst": ["tag:nas"],
			"ip":  ["*"],
		},

		// --- Kubernetes workloads ---
		// k8s workloads (e.g., Woodpecker CI) can push/pull from registry
		{
			"src": ["tag:k8s"],
			"dst": ["tag:registry"],
			"ip":  ["tcp:443"],
		},
		// k8s workloads (e.g., ArgoCD) can access forge on indri for GitOps
		// HTTP on 3001, SSH on 2200
		{
			"src": ["tag:k8s"],
			"dst": ["tag:homelab"],
			"ip":  ["tcp:3001", "tcp:2200"],
		},

		// Homelab can reach k8s services: PostgreSQL, CNPG metrics, Prometheus/Loki
		{
			"src": ["tag:homelab"],
			"dst": ["tag:k8s"],
			"ip":  ["tcp:443", "tcp:5432", "tcp:9187"],
		},
	],

	// ============== SSH Access ==============
	"ssh": [
		// Members can SSH to their own devices
		{
			"action": "check",
			"src":    ["autogroup:member"],
			"dst":    ["autogroup:self"],
			"users":  ["autogroup:nonroot"],
		},
		// Admins can SSH to homelab (for ansible)
		{
			"action": "check",
			"src":    ["autogroup:admin"],
			"dst":    ["tag:homelab"],
			"users":  ["autogroup:nonroot"],
			"checkPeriod": "12h0m0s",
		},
		// Admins can SSH to NAS
		{
			"action": "check",
			"src":    ["autogroup:admin"],
			"dst":    ["tag:nas"],
			"users":  ["autogroup:nonroot"],
			"checkPeriod": "12h0m0s",
		},
	],

	// ============== Tag Owners ==============
	"tagOwners": {
		"tag:blumeops": ["autogroup:admin", "tag:blumeops"],
		"tag:homelab": ["autogroup:admin", "tag:blumeops"],
		"tag:workstation": ["autogroup:admin", "tag:blumeops"],
		"tag:nas": ["autogroup:admin", "tag:blumeops"],
		"tag:grafana": ["autogroup:admin", "tag:blumeops"],
		"tag:kiwix": ["autogroup:admin", "tag:blumeops"],
		"tag:forge": ["autogroup:admin", "tag:blumeops"],
		"tag:devpi": ["autogroup:admin", "tag:blumeops"],
		"tag:loki": ["autogroup:admin", "tag:blumeops"],
		"tag:pg": ["autogroup:admin", "tag:blumeops"],
		"tag:feed": ["autogroup:admin", "tag:blumeops"],
		"tag:registry": ["autogroup:admin", "tag:blumeops"],
		"tag:k8s-api": ["autogroup:admin", "tag:blumeops"],
		"tag:k8s-operator": ["autogroup:admin", "tag:blumeops"],
		"tag:k8s": ["autogroup:admin", "tag:blumeops", "tag:k8s-operator"],
	},

	// ============== ACL Tests ==============
	"tests": [
		// Erich can access everything
		{
			"src":    "blume.erich@gmail.com",
			"accept": ["tag:grafana:443", "tag:kiwix:443", "tag:feed:443", "tag:loki:3100", "tag:pg:5432", "tag:homelab:22", "tag:registry:443", "tag:k8s-api:443"],
		},
		// Allison can access user services but NOT grafana, loki, or NAS
		{
			"src":    "acmdavis@gmail.com",
			"accept": ["tag:kiwix:443", "tag:forge:443", "tag:feed:443", "tag:pg:5432"],
			"deny":   ["tag:grafana:443", "tag:loki:3100", "tag:nas:445", "tag:registry:443", "tag:k8s-api:443"],
		},
		// Homelab can reach homelab, NAS, and k8s services (postgres, metrics, prometheus/loki)
		{
			"src":    "tag:homelab",
			"accept": ["tag:homelab:22", "tag:nas:445", "tag:k8s:443", "tag:k8s:5432", "tag:k8s:9187"],
		},
		// K8s workloads can reach registry and forge (on indri:3001 HTTP, :2200 SSH)
		{
			"src":    "tag:k8s",
			"accept": ["tag:registry:443", "tag:homelab:3001", "tag:homelab:2200"],
		},
	],
}