ldraney/pal-e-platform
1
0
Fork 0
Code Issues 91 Pull requests 5 Projects Releases Packages Wiki Activity Actions

Change Tailscale SSH ACL from "check" to "accept" for admin devices #262

New issue
Closed
opened 2026-04-04 17:13:25 +00:00 by forgejo_admin · 1 comment
forgejo_admin commented 2026-04-04 17:13:25 +00:00
Contributor
Copy link

Type

Feature

Lineage

Standalone — discovered during SSH debugging session (2026-04-04).
Termius on iPhone cannot complete the browser-based approval flow that "check" requires.

Repo

forgejo_admin/pal-e-platform

User Story

As an admin using Termius on my iPhone
I want direct SSH access to archbox via Tailscale
So that I can manage the platform from mobile without needing a browser approval step

Context

The Tailscale ACL SSH rule in terraform/modules/networking/main.tf:73-80 is currently:

ssh = [
  {
    action = "check"
    src    = ["autogroup:member"]
    dst    = ["autogroup:self"]
    users  = ["autogroup:nonroot", "root"]
  }
]

"check" maps to Tailscale's holdAndDelegate behavior — every SSH session requires browser-based approval. This works with tailscale ssh CLI but breaks standalone SSH clients (Termius, PuTTY, any standard SSH client) because they can't follow the HTTP redirect.

The ts-input iptables chain also DROPs all 100.64.0.0/10 traffic (Tailscale CGNAT range), confirming the ACL blocks peer SSH at the firewall level when Tailscale SSH isn't intercepting.

Changing to "accept" for autogroup:memberautogroup:self is safe because:

  • Only authenticated tailnet members can connect (WireGuard identity, not IP spoofable)
  • autogroup:self limits SSH to your own devices only
  • The tailnet already grants autogroup:admin full access on all ports via the grants block

File Targets

Files the agent should modify:

  • terraform/modules/networking/main.tf — change action = "check" to action = "accept" in the ssh block (line 76)

Files the agent should NOT touch:

  • terraform/modules/networking/variables.tf — no new variables needed
  • Any funnel or grant definitions — SSH ACL is independent

Acceptance Criteria

  • tofu plan shows only the ACL policy update (no other resource changes)
  • After tofu apply, tailscale debug netmap SSH policy shows accept: true (not holdAndDelegate)
  • SSH from iPhone Termius to archbox succeeds without browser approval
  • SSH from MacBook continues to work

Test Expectations

  • tofu validate passes
  • tofu plan -lock=false shows exactly 1 resource change (tailscale_acl.this)
  • No other ACL rules affected (grants, nodeAttrs, tagOwners unchanged)

Constraints

  • Must run tofu fmt before committing
  • Must include tofu plan output in PR
  • Must use -lock=false for plan commands (state lock blocks CI)
  • This is a 1-line change — do not refactor surrounding ACL structure

Checklist

  • PR opened
  • tofu plan output included
  • No unrelated changes

Related

  • pal-e-platform — project this affects
  • sop-platform-tf-changes — SOP for terraform changes in this repo
### Type Feature ### Lineage Standalone — discovered during SSH debugging session (2026-04-04). Termius on iPhone cannot complete the browser-based approval flow that `"check"` requires. ### Repo `forgejo_admin/pal-e-platform` ### User Story As an admin using Termius on my iPhone I want direct SSH access to archbox via Tailscale So that I can manage the platform from mobile without needing a browser approval step ### Context The Tailscale ACL SSH rule in `terraform/modules/networking/main.tf:73-80` is currently: ```hcl ssh = [ { action = "check" src = ["autogroup:member"] dst = ["autogroup:self"] users = ["autogroup:nonroot", "root"] } ] ``` `"check"` maps to Tailscale's `holdAndDelegate` behavior — every SSH session requires browser-based approval. This works with `tailscale ssh` CLI but **breaks standalone SSH clients** (Termius, PuTTY, any standard SSH client) because they can't follow the HTTP redirect. The `ts-input` iptables chain also DROPs all `100.64.0.0/10` traffic (Tailscale CGNAT range), confirming the ACL blocks peer SSH at the firewall level when Tailscale SSH isn't intercepting. Changing to `"accept"` for `autogroup:member` → `autogroup:self` is safe because: - Only authenticated tailnet members can connect (WireGuard identity, not IP spoofable) - `autogroup:self` limits SSH to your own devices only - The tailnet already grants `autogroup:admin` full access on all ports via the grants block ### File Targets Files the agent should modify: - `terraform/modules/networking/main.tf` — change `action = "check"` to `action = "accept"` in the `ssh` block (line 76) Files the agent should NOT touch: - `terraform/modules/networking/variables.tf` — no new variables needed - Any funnel or grant definitions — SSH ACL is independent ### Acceptance Criteria - [ ] `tofu plan` shows only the ACL policy update (no other resource changes) - [ ] After `tofu apply`, `tailscale debug netmap` SSH policy shows `accept: true` (not `holdAndDelegate`) - [ ] SSH from iPhone Termius to archbox succeeds without browser approval - [ ] SSH from MacBook continues to work ### Test Expectations - [ ] `tofu validate` passes - [ ] `tofu plan -lock=false` shows exactly 1 resource change (`tailscale_acl.this`) - [ ] No other ACL rules affected (grants, nodeAttrs, tagOwners unchanged) ### Constraints - Must run `tofu fmt` before committing - Must include `tofu plan` output in PR - Must use `-lock=false` for plan commands (state lock blocks CI) - This is a 1-line change — do not refactor surrounding ACL structure ### Checklist - [ ] PR opened - [ ] `tofu plan` output included - [ ] No unrelated changes ### Related - `pal-e-platform` — project this affects - `sop-platform-tf-changes` — SOP for terraform changes in this repo
forgejo_admin commented 2026-04-04 17:18:25 +00:00
Author
Contributor
Copy link

Scope Review: READY

Review note: review-802-2026-04-04
Ticket is well-scoped: 1-line change, file target verified at line 75, all template sections complete, story note confirmed.

  • [SCOPE] Missing arch-networking architecture note in pal-e-docs — create it to complete the traceability triangle.
## Scope Review: READY Review note: `review-802-2026-04-04` Ticket is well-scoped: 1-line change, file target verified at line 75, all template sections complete, story note confirmed. - [SCOPE] Missing `arch-networking` architecture note in pal-e-docs — create it to complete the traceability triangle.
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
main
fix-gem-bin-path
netpol-westside-ror
fix-woodpecker-multi-pipeline
345-harbor-mobile-css
290-payment-pipeline-observability
spec-board-centric-renderer
284-fix-add-pal-e-docs-namespace-to-postgres
284-add-pal-e-docs-postgres-netpol
188-cross-repo-worktree-isolation-for-parall
111-fix-keycloak-probe
86-fix-rotate-woodpecker-api-token-in-salt
71-feat-deploy-pyrra-slo-manager-with-servi
64-hotfix-woodpecker-oauth-login-broken-for
18-fix-grafana-duplicate-default-datasource-v2
18-fix-grafana-duplicate-default-datasource
13-fix-cnpg-all-parameters
No results found.
Labels
Clear labels   
domain:backend

   
domain:devops

   
domain:frontend

   
status:approved

QA passed, awaiting merge approval

  
status:in-progress

Dev agent is actively working

  
status:needs-fix

QA found issues, back to dev

  
status:qa

PR submitted, awaiting QA review

  
type:bug

Bug fix

  
type:devops

Infrastructure/CI/config work

  
type:feature

New functionality

No labels
domain:backend
domain:devops
domain:frontend
status:approved
status:in-progress
status:needs-fix
status:qa
type:bug
type:devops
type:feature
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
ldraney/pal-e-platform#262
No description provided.