From ee00ce837931e4996589d1e5198766d4fc910267 Mon Sep 17 00:00:00 2001
From: Noah White <noah@noahwhite.net>
Date: Sun, 5 Apr 2026 02:23:28 +0000
Subject: [PATCH] fix(OFF-64): use core user for officina-ci SSH to instances

Least privilege: CI connects as core with sudo instead of root.
Provides audit trail for privileged operations in journald.
---
 opentofu/modules/tailscale/main.tofu | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/opentofu/modules/tailscale/main.tofu b/opentofu/modules/tailscale/main.tofu
index d684e1e..7671b5e 100644
--- a/opentofu/modules/tailscale/main.tofu
+++ b/opentofu/modules/tailscale/main.tofu
@@ -128,7 +128,7 @@ resource "tailscale_acl" "soc_tailnet_acl" {
         "action" = "accept",
         "src"    = ["tag:officina-ci"],
         "dst"    = ["tag:officina-instance"],
-        "users"  = ["root"],
+        "users"  = ["core"],
       },
     ],
     "groups" = {