midwitmoneymgmt/m3-infra
2
1
Fork 0
Code Issues Pull requests Projects Releases Activity Actions

Add tag:m3-agents to Tailscale ACL and automate agent auth (#43) #38

Merged
AlexCaswen merged 1 commit from add-tailscale-agents into main 2026-05-08 14:00:22 +00:00
Conversation 1 Commits 1 Files changed 2 +28 -4
AlexCaswen commented 2026-05-08 12:08:32 +00:00 (Migrated from gitlab.com)
Copy link

Summary

Adds tag:m3-agents to the Tailscale ACL and wires up automated Tailscale authentication in the deploy-claude-code CI job.

ACL changes (acl.hujson)

Rule Purpose
tag:m3-agents in tagOwners New tag for AI agent containers
CI → agents Deploy jobs can reach agent containers
Agents → monitoring Grafana MCP read-only dashboard access
Agents → internet Aperture, git, package downloads
Admin SSH → agents Tailscale SSH console access

CI changes (.gitlab-ci.yml)

deploy-claude-code now runs tailscale up after nixos-rebuild switch:

  • Idempotent: checks tailscale status first, skips if already connected
  • Uses TAILSCALE_AGENTS_AUTHKEY CI variable (reusable, tagged tag:m3-agents)

Prerequisites

Before merging, create a CI variable:

  • Key: TAILSCALE_AGENTS_AUTHKEY
  • Value: Reusable auth key from Tailscale admin console, tagged tag:m3-agents
  • Masked: Yes
  • Hidden: Yes
  • Protected: No (MR branch pipelines need access)

Post-merge

After deploy-claude-code runs and Tailscale authenticates, you'll need to sign the node via Tailnet Lock from your iPhone or MacBook.

Closes #43

## Summary Adds `tag:m3-agents` to the Tailscale ACL and wires up automated Tailscale authentication in the `deploy-claude-code` CI job. ## ACL changes (`acl.hujson`) | Rule | Purpose | |------|--------| | `tag:m3-agents` in tagOwners | New tag for AI agent containers | | CI → agents | Deploy jobs can reach agent containers | | Agents → monitoring | Grafana MCP read-only dashboard access | | Agents → internet | Aperture, git, package downloads | | Admin SSH → agents | Tailscale SSH console access | ## CI changes (`.gitlab-ci.yml`) `deploy-claude-code` now runs `tailscale up` after `nixos-rebuild switch`: - Idempotent: checks `tailscale status` first, skips if already connected - Uses `TAILSCALE_AGENTS_AUTHKEY` CI variable (reusable, tagged `tag:m3-agents`) ## Prerequisites Before merging, create a CI variable: - **Key:** `TAILSCALE_AGENTS_AUTHKEY` - **Value:** Reusable auth key from Tailscale admin console, tagged `tag:m3-agents` - **Masked:** Yes - **Hidden:** Yes - **Protected:** No (MR branch pipelines need access) ## Post-merge After `deploy-claude-code` runs and Tailscale authenticates, you'll need to sign the node via Tailnet Lock from your iPhone or MacBook. Closes #43
AlexCaswen commented 2026-05-08 14:00:23 +00:00 (Migrated from gitlab.com)
Copy link

mentioned in commit f04077d982

mentioned in commit f04077d9826fa710675b86e0d7aba70b0d8fefc9
AlexCaswen (Migrated from gitlab.com) merged commit f04077d982 into main 2026-05-08 14:00:23 +00:00
Sign in to join this conversation.
Reviewers
No reviewers
Labels
Clear labels   
IaC

   
admin

   
agent-containers

   
automation

   
blockchain

   
cleanup

   
data

   
documentation

   
hardware

   
hotfix

   
infrastructure

   
maintenance

   
metrics

   
ml

   
monitoring

   
networking

   
resilience

   
security

   
tailscale

   
trading
No labels
IaC
admin
agent-containers
automation
blockchain
cleanup
data
documentation
hardware
hotfix
infrastructure
maintenance
metrics
ml
monitoring
networking
resilience
security
tailscale
trading
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
midwitmoneymgmt/m3-infra!38
No description provided.