Skip to content

Commit 3eeb402

Browse files
authored
feat: allow officina-ci to SSH to officina-instance hosts (#361)
Add Tailscale ACL grant and SSH rule so tag:officina-ci can reach tag:officina-instance on port 22 as root. Required for the officina provision-host-secrets workflow to deposit tokens and trigger the reconciler via tailscale ssh.
1 parent b0c8457 commit 3eeb402

1 file changed

Lines changed: 11 additions & 0 deletions

File tree

opentofu/modules/tailscale/main.tofu

Lines changed: 11 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -84,6 +84,11 @@ resource "tailscale_acl" "soc_tailnet_acl" {
8484
"src" : ["tag:officina-instance"],
8585
"dst" : ["tag:infisical"],
8686
"ip" : ["443"]
87+
},
88+
{
89+
"src" : ["tag:officina-ci"],
90+
"dst" : ["tag:officina-instance"],
91+
"ip" : ["22"]
8792
}
8893
],
8994
"ssh" = [
@@ -119,6 +124,12 @@ resource "tailscale_acl" "soc_tailnet_acl" {
119124
"dst" = ["tag:officina-instance"],
120125
"users" = ["core"],
121126
},
127+
{
128+
"action" = "accept",
129+
"src" = ["tag:officina-ci"],
130+
"dst" = ["tag:officina-instance"],
131+
"users" = ["root"],
132+
},
122133
],
123134
"groups" = {
124135
"group:devs" = ["noah@noahwhite.net"],

0 commit comments

Comments
 (0)