eblume/blumeops
1
1
Fork 0
Code Issues Pull requests Projects Releases 83 Packages Wiki Activity Actions

C1: deploy adelaide-baby-shower-app to ringtail k3s #349

Merged
eblume merged 20 commits from shower-app-deploy into main 2026-05-11 13:47:20 -07:00
Conversation 2 Commits 20 Files changed 28 +27 -5
1 changed files with 27 additions and 5 deletions
Download patch file Download diff file Expand all files Collapse all files
Showing only changes of commit eec455e56a - Show all commits

C1: fix expose-service-publicly tailscale key flow

Prev Next 
Doc said "Store the auth key in 1Password as well for the \`fly-setup\`
mise task" right next to the description of fly-setup, which reads
the key from Pulumi state, not 1Password. No code path anywhere reads
this key from 1P — the instruction is vestigial from an earlier
design and confused us during the v1.0.1 rotation when the
flyio-proxy-key expired.

Rewrite the section to:
  - point at \`mise run fly-setup\` as the canonical path
  - state explicitly that Pulumi state is the only source of truth
  - document the rotation recipe (tailnet-up --replace=<urn> +
    fly-setup + fly-deploy) for the next time this 90-day key lapses

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Erich Blume 2026-05-11 11:25:02 -07:00
commit eec455e56a

36
docs/tutorials/expose-service-publicly.md
View file

@ -176,17 +176,39 @@ Indri carries `tag:flyio-target` so the Fly proxy can reach Caddy. No per-servic
Deploy: `mise run tailnet-preview` then `mise run tailnet-up`.
After deploying, extract the auth key and set it as a Fly.io secret:
After deploying, push the auth key to Fly.io. The simplest path is
`mise run fly-setup`, which reads the current value from Pulumi state
and stages it as a Fly.io secret:
```bash
# Get the key from Pulumi state
cd pulumi/tailscale && pulumi stack output flyio_authkey --show-secrets
# Set it in Fly.io
fly secrets set TS_AUTHKEY="tskey-auth-..." -a blumeops-proxy
mise run fly-setup
```
Store the auth key in 1Password as well for the `fly-setup` mise task.
Manual equivalent for reference:
```bash
cd pulumi/tailscale && pulumi stack output flyio_authkey --show-secrets
# then in fly/:
fly secrets set TS_AUTHKEY="tskey-auth-..." -a blumeops-proxy --stage
```
**Pulumi state is the only source of truth for this key.** No other
process (mise tasks, ansible, scripts) reads it from anywhere else —
in particular, the key is not stored in 1Password. To rotate
(every 90 days, or after a compromise), force-replace the resource
and re-run `fly-setup`:
```bash
mise run tailnet-up -- \
--replace='urn:pulumi:tail8d86e::blumeops-tailnet::tailscale:index/tailnetKey:TailnetKey::flyio-proxy-key'
mise run fly-setup
mise run fly-deploy
```
Pulumi destroys the old key and mints a new 90-day one in a single
operation. Older fly machines that already authed against the old key
are unaffected (they don't need it after the initial join); only
*new* machine starts read the rotated value.
### Step 4: Mise tasks