Erich Blume
01adc4cf0f
## Summary - Remove aliases from all zk cards to prevent them from capturing wiki-links - Convert all wiki-links from `[[filename|Title]]` to `[[Title]]` format - Replace `doc-filenames` task with `doc-titles` for duplicate title detection - Update pre-commit hook to use `doc-titles` Wiki-links now resolve to reference docs by their frontmatter title, which is more readable and maintainable than filename-based links. ## Deployment and Testing - [x] Pre-commit hooks pass (including new `doc-titles` check) - [x] Manually verified zk cards have aliases removed - [ ] Deploy docs v1.0.7 and verify wiki-links resolve correctly - [ ] Test links to reference docs (e.g., [[Grafana Alloy]], [[ArgoCD]]) 🤖 Generated with [Claude Code](https://claude.com/claude-code) Reviewed-on: https://forge.ops.eblu.me/eblume/blumeops/pulls/91
70 lines
1.6 KiB
Markdown
70 lines
1.6 KiB
Markdown
---
|
|
id: pulumi
|
|
tags:
|
|
- blumeops
|
|
---
|
|
|
|
# Pulumi Tailnet IaC Management Log
|
|
|
|
Pulumi manages the tail8d86e.ts.net tailnet configuration, including ACLs, tags, and DNS settings.
|
|
|
|
## Architecture
|
|
|
|
Two-layer approach:
|
|
- **Layer 1 (Pulumi)**: Tailnet-wide config - ACLs, tags, DNS (this card)
|
|
- **Layer 2 (Ansible)**: Node-local `tailscale serve` config - see `tailscale_serve` role
|
|
|
|
## Service Details
|
|
|
|
- State backend: Pulumi Cloud (https://app.pulumi.com/eblume/blumeops-tailnet)
|
|
- Stack: `tail8d86e`
|
|
- Config directory: `pulumi/` in blumeops repo
|
|
- Policy file: `pulumi/policy.hujson` (HuJSON with comments)
|
|
|
|
## Authentication
|
|
|
|
Uses OAuth client stored in 1Password (blumeops vault):
|
|
- Client configured with scopes: acl, dns, devices, services
|
|
- Auto-applies `tag:blumeops` to IaC-managed resources
|
|
|
|
## Useful Commands
|
|
|
|
```bash
|
|
# Preview changes
|
|
mise run tailnet-preview
|
|
|
|
# Apply changes
|
|
mise run tailnet-up
|
|
|
|
# View current state
|
|
mise run tailnet-preview
|
|
|
|
# Pass additional args
|
|
mise run tailnet-up -- --yes
|
|
```
|
|
|
|
## Making ACL Changes
|
|
|
|
1. Edit `pulumi/policy.hujson` in the blumeops repo
|
|
2. Run `mise run tailnet-preview` to see what will change
|
|
3. Run `mise run tailnet-up` to apply
|
|
4. Commit and push
|
|
|
|
## What's Managed
|
|
|
|
Currently managed by Pulumi:
|
|
- ACL policy (`tailscale:index:Acl`)
|
|
|
|
Can be added later:
|
|
- DNS nameservers (`tailscale:index:DnsNameservers`)
|
|
- DNS search paths (`tailscale:index:DnsSearchPaths`)
|
|
- Tailnet settings (`tailscale:index:TailnetSettings`)
|
|
|
|
## Log
|
|
|
|
### Wed Jan 15 2026
|
|
|
|
- Initial setup with Pulumi + Python
|
|
- Imported existing ACL from Tailscale
|
|
- State stored in Pulumi Cloud (free tier)
|
|
- OAuth authentication via 1Password
|