eblume/blumeops
1
1
Fork 0
Code Issues Pull requests Projects Releases 83 Packages Wiki Activity Actions
blumeops/pulumi/policy.hujson
Erich Blume adf6f4fbe9 Add PostgreSQL and Miniflux services to tailnet (#16) 
## Summary
- Add PostgreSQL 18 as a new service at `pg.tail8d86e.ts.net:5432`
- Add Miniflux RSS/Atom feed reader at `feed.tail8d86e.ts.net`
- Both services managed via homebrew/brew services
- Pulumi ACL tags added (tag:pg, tag:feed)
- Alloy log collection configured for both services
- Zettelkasten documentation updated

## Manual Setup Required

Before running ansible, the following steps are needed on indri:

### 1. Apply Pulumi tags
```bash
mise run tailnet-up
```
Then apply tags to indri in Tailscale admin console.

### 2. Create 1Password entries
- miniflux PostgreSQL user password
- miniflux admin password (for first run)

### 3. Set PostgreSQL user password (after ansible installs postgres)
```bash
ssh indri '/opt/homebrew/opt/postgresql@18/bin/psql -c "ALTER USER miniflux PASSWORD '\''your-password'\'';"'
```

### 4. Create password files on indri
```bash
ssh indri 'echo "your-db-password" > ~/.miniflux-db-password && chmod 600 ~/.miniflux-db-password'
ssh indri 'echo "your-admin-password" > ~/.miniflux-admin-password && chmod 600 ~/.miniflux-admin-password'
```

### 5. Create ~/.pgpass for borgmatic
```bash
ssh indri 'echo "localhost:5432:miniflux:miniflux:YOUR_PASSWORD" > ~/.pgpass && chmod 600 ~/.pgpass'
```

### 6. Run ansible with first-run admin creation
```bash
mise run provision-indri -- -e miniflux_create_admin=1
```

### 7. Update borgmatic config
Add to `~/.config/borgmatic/config.yaml` on indri:
```yaml
postgresql_databases:
    - name: miniflux
      hostname: localhost
      port: 5432
      username: miniflux
```

### 8. Cleanup after first run
```bash
ssh indri 'rm ~/.miniflux-admin-password'
```

## Test plan
- [ ] Run `mise run tailnet-up` and verify Pulumi changes
- [ ] Apply tags to indri in Tailscale admin
- [ ] Run `mise run provision-indri -- --check --diff` for dry run
- [ ] Run `mise run provision-indri -- -e miniflux_create_admin=1`
- [ ] Approve services in Tailscale admin
- [ ] Verify PostgreSQL: `ssh indri '/opt/homebrew/opt/postgresql@18/bin/pg_isready'`
- [ ] Verify Miniflux: `curl https://feed.tail8d86e.ts.net/healthcheck`
- [ ] Run `mise run indri-services-check`

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Reviewed-on: https://forge.tail8d86e.ts.net/eblume/blumeops/pulls/16
2026-01-16 12:30:20 -08:00

111 lines
3.5 KiB
Text
Raw Blame History

// Example/default ACLs for unrestricted connections.
{
// Declare static groups of users. Use autogroups for all users or users with a specific role.
// "groups": {
// "group:example": ["alice@example.com", "bob@example.com"],
// },
// Define the tags which can be applied to devices and by which users.
// "tagOwners": {
// "tag:example": ["autogroup:admin"],
// },
// Define grants that govern access for users, groups, autogroups, tags,
// Tailscale IP addresses, and subnet ranges.
"grants": [
// Allow all connections.
// Comment this section out if you want to define specific restrictions.
{
"src": ["*"],
"dst": ["*"],
"ip": ["*"],
},
// Allow users in "group:example" to access "tag:example", but only from
// devices that are running macOS and have enabled Tailscale client auto-updating.
// {"src": ["group:example"], "dst": ["tag:example"], "ip": ["*"], "srcPosture":["posture:autoUpdateMac"]},
],
// Define postures that will be applied to all rules without any specific
// srcPosture definition.
// "defaultSrcPosture": [
// "posture:anyMac",
// ],
// Define device posture rules requiring devices to meet
// certain criteria to access parts of your system.
// "postures": {
// // Require devices running macOS, a stable Tailscale
// // version and auto update enabled for Tailscale.
// "posture:autoUpdateMac": [
// "node:os == 'macos'",
// "node:tsReleaseTrack == 'stable'",
// "node:tsAutoUpdate",
// ],
// // Require devices running macOS and a stable
// // Tailscale version.
// "posture:anyMac": [
// "node:os == 'macos'",
// "node:tsReleaseTrack == 'stable'",
// ],
// },
// Define users and devices that can use Tailscale SSH.
"ssh": [
// Allow all users to SSH into their own devices in check mode.
// Comment this section out if you want to define specific restrictions.
{
"action": "check",
"src": ["autogroup:member"],
"dst": ["autogroup:self"],
"users": ["autogroup:nonroot", "root"],
},
// Allow Erich to ssh on to the homelab server.
{
"src": ["blume.erich@gmail.com"],
"dst": ["tag:homelab"],
"users": ["autogroup:nonroot"],
"action": "check",
"checkPeriod": "12h0m0s",
},
],
"tagOwners": {
// Grafana service host tag
"tag:grafana": ["autogroup:admin", "tag:blumeops"],
// This tag applies to instances which are meant to be accessible in my homelab. These instances can be SSH'ed in to by any member of the admin autogroup.
"tag:homelab": ["autogroup:admin", "tag:blumeops"],
// Kiwix, a local wiki server. I use it to create mirrors of wikipedia.
"tag:kiwix": ["autogroup:admin", "tag:blumeops"],
// Service tag for forgejo, scm host and code forge
"tag:forge": ["autogroup:admin", "tag:blumeops"],
// devpi pypi index
"tag:devpi": ["autogroup:admin", "tag:blumeops"],
// Loki log collection
"tag:loki": ["autogroup:admin", "tag:blumeops"],
// PostgreSQL database server
"tag:pg": ["autogroup:admin", "tag:blumeops"],
// Miniflux RSS/Atom feed reader
"tag:feed": ["autogroup:admin", "tag:blumeops"],
// This tag is applied to resources modified by blumeops-pulumi IaC
// Includes itself so the OAuth client can apply it to devices
"tag:blumeops": ["autogroup:admin", "tag:blumeops"],
},
// Test access rules every time they're saved.
// "tests": [
// {
// "src": "alice@example.com",
// "accept": ["tag:example"],
// "deny": ["100.101.102.103:443"],
// },
// ],
}
Reference in a new issue View git blame Copy permalink