eblume/blumeops
1
1
Fork 0
Code Issues Pull requests Projects Releases 83 Packages Wiki Activity Actions
blumeops/pulumi
History
Erich Blume e6d302b40b Harden Tailscale ACL policy with least-privilege grants (#23) 
## Summary
- Replace permissive wildcard ACL (`*` -> `*`) with specific service grants
- Admin: full access to all services including NAS
- Member: user-facing services only (no Grafana/Loki/NAS)
- Add device tagging for gilbert (workstation) and sifaka (NAS) via Pulumi
- SSH hardening: remove root access, use "check" action with MFA
- Add ACL tests to validate policy behavior

## Deployment and Testing
- [x] Pulumi preview passes
- [x] HuJSON syntax validated
- [x] ACL tests defined and passing
- [ ] Deploy with `mise run tailnet-up`
- [ ] Verify SSH access from gilbert to indri
- [ ] Verify Allison cannot access Grafana/Loki/NAS

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Reviewed-on: https://forge.tail8d86e.ts.net/eblume/blumeops/pulls/23
2026-01-17 11:58:04 -08:00
..
.gitignore Add Pulumi for tailnet IaC management (#15) 2026-01-15 20:55:25 -08:00
__main__.py Harden Tailscale ACL policy with least-privilege grants (#23) 2026-01-17 11:58:04 -08:00
policy.hujson Harden Tailscale ACL policy with least-privilege grants (#23) 2026-01-17 11:58:04 -08:00
Pulumi.tail8d86e.yaml Add pre-commit hooks for code quality (#19) 2026-01-16 19:33:02 -08:00
Pulumi.yaml Add pre-commit hooks for code quality (#19) 2026-01-16 19:33:02 -08:00
pyproject.toml Add pre-commit hooks for code quality (#19) 2026-01-16 19:33:02 -08:00