fix: change Tailscale SSH ACL from "check" to "accept" #263

Merged

forgejo_admin merged 1 commit from 262-tailscale-ssh-acl-accept into main

2026-04-04 19:16:37 +00:00

forgejo_admin commented

2026-04-04 19:06:19 +00:00

Contributor

Summary

Changes the Tailscale SSH ACL action from check (requires browser re-authentication) to accept (trusts Tailscale identity directly), eliminating the disruptive web auth prompt when SSH-ing between tailnet devices.

Changes

terraform/modules/networking/main.tf line 75: action = "check" -> action = "accept"

tofu plan Output

# module.networking.tailscale_acl.this will be updated in-place
~ resource "tailscale_acl" "this" {
    ~ acl = jsonencode(
        ~ {
            ~ ssh           = [
                ~ {
                    ~ action = "check" -> "accept"
                      # (3 unchanged attributes hidden)
                  },
              ]
              # (5 unchanged attributes hidden)
          }
      )
      id  = "acl"
      # (2 unchanged attributes hidden)
  }

Plan: 0 to change this resource, 1 to update in-place.

Note: Full plan also shows 2 unrelated additions (paledocs_db_url secret, embedding_worker_metrics service) from pre-existing drift on main.

Test Plan

tofu fmt -recursive -check -- passed
tofu validate -- passed
tofu plan -lock=false -- confirms only the SSH ACL action changes
After apply: tailscale ssh should connect without browser re-auth prompt

Review Checklist

tofu fmt -- passed
tofu validate -- passed
tofu plan output included above
Single-line change, no side effects
README roadmap -- no update needed

Closes #262

None -- single ACL config change, no new conventions or SOPs affected.

## Summary Changes the Tailscale SSH ACL action from `check` (requires browser re-authentication) to `accept` (trusts Tailscale identity directly), eliminating the disruptive web auth prompt when SSH-ing between tailnet devices. ## Changes - `terraform/modules/networking/main.tf` line 75: `action = "check"` -> `action = "accept"` ## tofu plan Output ``` # module.networking.tailscale_acl.this will be updated in-place ~ resource "tailscale_acl" "this" { ~ acl = jsonencode( ~ { ~ ssh = [ ~ { ~ action = "check" -> "accept" # (3 unchanged attributes hidden) }, ] # (5 unchanged attributes hidden) } ) id = "acl" # (2 unchanged attributes hidden) } Plan: 0 to change this resource, 1 to update in-place. ``` Note: Full plan also shows 2 unrelated additions (paledocs_db_url secret, embedding_worker_metrics service) from pre-existing drift on main. ## Test Plan - `tofu fmt -recursive -check` -- passed - `tofu validate` -- passed - `tofu plan -lock=false` -- confirms only the SSH ACL action changes - After apply: `tailscale ssh` should connect without browser re-auth prompt ## Review Checklist - [x] `tofu fmt` -- passed - [x] `tofu validate` -- passed - [x] `tofu plan` output included above - [x] Single-line change, no side effects - [ ] README roadmap -- no update needed ## Related Closes #262 ## Related Notes None -- single ACL config change, no new conventions or SOPs affected.

forgejo_admin added 1 commit

2026-04-04 19:06:19 +00:00

fix: change Tailscale SSH ACL from "check" to "accept"

ci/woodpecker/push/woodpecker Pipeline was successful

Details

ci/woodpecker/pr/woodpecker Pipeline was successful

Details

ci/woodpecker/pull_request_closed/woodpecker Pipeline was successful

Details

7e55adab2c

Eliminates the browser-based re-authentication prompt for Tailscale SSH
by switching from "check" (requires web auth) to "accept" (trusts
Tailscale identity directly). Scoped to autogroup:member -> autogroup:self.

Closes forgejo_admin/pal-e-platform#262

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>